CVE-2024-47091: CWE-427 Uncontrolled Search Path Element in Checkmk GmbH Checkmk
CVE-2024-47091 is a medium severity privilege escalation vulnerability in the mk_mysql agent plugin on Windows for Checkmk versions prior to 2. 4. 0p29 and 2. 3. 0p47, and in the end-of-life 2. 2. 0 version. It allows a local unprivileged user who can create or modify a Windows service named 'MySQL' or 'MariaDB', or write to a binary referenced by such a service, to execute arbitrary code with SYSTEM privileges via the Checkmk agent service. This vulnerability arises from an uncontrolled search path element (CWE-427). No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
CVE-2024-47091 is a vulnerability in Checkmk's mk_mysql agent plugin on Windows platforms that allows local privilege escalation. The issue occurs because the plugin improperly trusts Windows services named 'MySQL' or 'MariaDB' or binaries referenced by these services. A local unprivileged user with the ability to create such a service or modify the binary can execute arbitrary code in the context of the Checkmk agent service, which typically runs with SYSTEM privileges. This is classified as CWE-427 (Uncontrolled Search Path Element). The vulnerability affects Checkmk versions before 2.4.0p29, 2.3.0p47, and the EOL 2.2.0 version. The CVSS 4.0 base score is 5.2, indicating medium severity. No official patch or remediation level has been published by Checkmk GmbH as of the data provided.
Potential Impact
Successful exploitation allows a local unprivileged user to escalate privileges to SYSTEM by executing arbitrary code through the Checkmk agent service on affected Windows systems. This could lead to full control over the affected host. However, exploitation requires local access and the ability to create or modify specific Windows services or binaries, limiting the attack surface. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should monitor Checkmk GmbH advisories for updates or patches addressing this vulnerability. As a precaution, restrict permissions to create or modify Windows services named 'MySQL' or 'MariaDB' and control write access to binaries referenced by such services to trusted administrators only. Avoid running vulnerable versions in environments where unprivileged users have local service creation rights.
CVE-2024-47091: CWE-427 Uncontrolled Search Path Element in Checkmk GmbH Checkmk
Description
CVE-2024-47091 is a medium severity privilege escalation vulnerability in the mk_mysql agent plugin on Windows for Checkmk versions prior to 2. 4. 0p29 and 2. 3. 0p47, and in the end-of-life 2. 2. 0 version. It allows a local unprivileged user who can create or modify a Windows service named 'MySQL' or 'MariaDB', or write to a binary referenced by such a service, to execute arbitrary code with SYSTEM privileges via the Checkmk agent service. This vulnerability arises from an uncontrolled search path element (CWE-427). No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-47091 is a vulnerability in Checkmk's mk_mysql agent plugin on Windows platforms that allows local privilege escalation. The issue occurs because the plugin improperly trusts Windows services named 'MySQL' or 'MariaDB' or binaries referenced by these services. A local unprivileged user with the ability to create such a service or modify the binary can execute arbitrary code in the context of the Checkmk agent service, which typically runs with SYSTEM privileges. This is classified as CWE-427 (Uncontrolled Search Path Element). The vulnerability affects Checkmk versions before 2.4.0p29, 2.3.0p47, and the EOL 2.2.0 version. The CVSS 4.0 base score is 5.2, indicating medium severity. No official patch or remediation level has been published by Checkmk GmbH as of the data provided.
Potential Impact
Successful exploitation allows a local unprivileged user to escalate privileges to SYSTEM by executing arbitrary code through the Checkmk agent service on affected Windows systems. This could lead to full control over the affected host. However, exploitation requires local access and the ability to create or modify specific Windows services or binaries, limiting the attack surface. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should monitor Checkmk GmbH advisories for updates or patches addressing this vulnerability. As a precaution, restrict permissions to create or modify Windows services named 'MySQL' or 'MariaDB' and control write access to binaries referenced by such services to trusted administrators only. Avoid running vulnerable versions in environments where unprivileged users have local service creation rights.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Checkmk
- Date Reserved
- 2024-09-18T11:38:53.583Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04429dcbff5d8610a52d89
Added to database: 5/13/2026, 9:21:33 AM
Last enriched: 5/13/2026, 9:36:53 AM
Last updated: 5/13/2026, 10:32:14 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.