Critical Privilege Escalation in Checkmk: Root Access at Risk

A critical-severity security vulnerability has been identified in the Checkmk monitoring platform, potentially allowing local users to seize full control of the host system. The flaw, tracked as CVE-2025-39666 with a CVSS score of 9.3, involves a local privilege escalation that occurs when administrative commands are executed with root privileges.

The vulnerability centers on the omd (Open Monitoring Distribution) command, a core utility used to manage Checkmk sites. According to the advisory, “A user who already has access to modify the site context can place a malicious payload”.

The danger arises when a system administrator or an automated process executes the omd command as the root user. In this scenario, “that payload is executed with root privileges, allowing the site user to become root”. This escalation is particularly insidious because it can be “triggered automatically by standard system operations such as post update triggers”.

Organizations using Checkmk are encouraged to verify the status of their installations immediately. The vulnerability impacts any site where a user has the ability to modify the site context. Notably, the advisory points out that “Calling omd inside the site context is safe, as there is no path for the site user to escalate to root from within it”.

Administrators can verify if their version is patched by checking for a specific security flag. A simple script can be used to check the default system-wide omd command:

VERSION=$(omd version -b)
if [ -f "/omd/versions/$VERSION/share/omd/security-werk-18891.flag" ]; then
  echo "System is PATCHED."
else
  echo "System is VULNERABLE."
fi

The Checkmk team has issued a warning: “Do not use omd as root user to interact with your site until you have installed a patched version of Checkmk”.

Immediate Actions for Administrators:

• Install the Update: Installing the latest package automatically sets the patched omd as the default system command.
• Update All Sites: Because omd always uses the version specified in the site directory, “you must update all sites and completely remove the vulnerable packages from your system in order to patch this vulnerability”.
• Safe Update Procedure: Stop the site first using sudo omd stop, then perform the update with sudo omd update <site name>.

If you need to restore a site from a backup while still on a vulnerable version, it is safer to “create the site and restore it from within the site context” as a regular site user rather than as root. By following these steps, administrators can effectively close the privilege escalation path and ensure their monitoring infrastructure remains secure.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.