Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Checkmk Vulnerabilities Can Be Chained for Remote Code Execution

Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.

Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.

Written in Python and C++, Checkmk is an IT Infrastructure monitoring solution that allows organizations to monitor servers, containers, cloud infrastructure, networks, databases, and other assets using a single web interface.

“According to the vendor’s website, more than 2,000 customers rely on Checkmk. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors,” Sonar Source notes.

The company has identified four vulnerabilities in Checkmk and its NagVis integration, including two with a ‘critical’ severity rating (CVSS score of 9.1).

These security defects, Sonar Source warns, “can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.”

The first of the issues is described as a code injection vulnerability in the watolib component, which existed because user data entered in Wato was improperly sanitized when writing to the PHP file.

“Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration. The code would be executed once a request to the respective NagVis component is made,” Checkmk explains.

The second critical-severity flaw is described as an arbitrary file read impacting NagVis, the component responsible for creating network maps.

“An authenticated attacker can read arbitrary files with the permissions of the web server user,” Checkmk notes in its advisory.

The two other vulnerabilities, both rated ‘medium severity’, are a line feed injection and a limited server-side request forgery (SSRF) issue.

“Some of the identified vulnerabilities have limited practical impact on their own. However, a malicious attacker can chain them together to achieve remote code execution,” Sonar Source underlines.

The code analysis firm explains that the exploitation chain would start with the unauthenticated attacker exploiting the SSRF to access an endpoint reachable from the localhost only and which is vulnerable to the line feed injection.

By forging arbitrary LQL queries – which Checkmk uses to fetch data from the monitoring core – the attacker can then delete arbitrary files, which could allow them to bypass existing authentication mechanisms and access NagVis.

With access to NagVis, the attacker could exploit the arbitrary file read to access a special Checkmk configuration file and gain access to the Checkmk GUI, and then exploit the code injection in watolib to achieve remote code execution (RCE).

Sonar Source reported the vulnerabilities to Checkmk on August 22, which patched them within a week.

Related: Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Related: VMware Patches Critical Vulnerability in End-of-Life Product

Related: Anxiously Awaited OpenSSL Vulnerability’s Severity Downgraded From Critical to High

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.