CVE-2024-47091 Overview
CVE-2024-47091 is a local privilege escalation vulnerability in the mk_mysql agent plugin shipped with Checkmk on Windows. The flaw affects Checkmk versions earlier than 2.4.0p29, earlier than 2.3.0p47, and the end-of-life 2.2.0 branch. A local unprivileged user who can create a Windows service whose name matches MySQL or MariaDB, or who has write access to a binary referenced by such a service, can execute arbitrary code in the context of the Checkmk agent service. The Checkmk agent typically runs as SYSTEM, granting the attacker full local control. The weakness is tracked under [CWE-427: Uncontrolled Search Path Element].
Critical Impact
Local users can elevate to SYSTEM privileges by abusing how the mk_mysql plugin resolves and invokes MySQL or MariaDB service binaries on Windows hosts running the Checkmk agent.
Affected Products
- Checkmk versions earlier than 2.4.0p29
- Checkmk versions earlier than 2.3.0p47
- Checkmk 2.2.0 (End of Life)
Discovery Timeline
- 2026-05-13 - CVE CVE-2024-47091 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2024-47091
Vulnerability Analysis
The mk_mysql agent plugin on Windows queries the local service control manager to discover MySQL and MariaDB instances, then invokes binaries associated with services whose names match the patterns MySQL or MariaDB. The plugin trusts the service registration and the binary path returned, executing them within the Checkmk agent process context. Because the Checkmk agent service runs as SYSTEM, any code invoked through this path inherits the highest local privilege level. A standard user who can register Windows services, or who can modify a binary referenced by an existing matching service, can hijack the execution flow. The behavior maps to [CWE-427] uncontrolled search path element, where trust in attacker-influenced service metadata leads to elevation.
Root Cause
The plugin enumerates services by name pattern and executes their associated binaries without validating the integrity, signature, or trust level of the resolved target. Service registration and binary write access decisions are governed by local Windows permissions that may permit non-administrative users in specific configurations. The plugin assumes only privileged software registers MySQL or MariaDB services, an assumption that breaks in shared or misconfigured environments.
Attack Vector
An attacker with local access registers a Windows service named to match MySQL or MariaDB, pointing its ImagePath to an attacker-controlled binary. Alternatively, the attacker overwrites a binary already referenced by such a service when filesystem permissions allow. On the next mk_mysql plugin invocation by the Checkmk agent, the malicious binary executes as SYSTEM. The attacker gains arbitrary code execution with the highest local privileges, enabling credential theft, persistence, and lateral movement.
No verified public exploit code is available. Refer to the Checkmk Werk 19198 advisory for vendor technical details.
Detection Methods for CVE-2024-47091
Indicators of Compromise
- Creation of new Windows services with display or service names containing MySQL or MariaDB on hosts that do not legitimately run those database engines.
- Modification of binaries referenced in the ImagePath registry value of existing MySQL or MariaDB services by non-administrative accounts.
- Child processes spawned by the Checkmk agent service (check_mk_agent.exe) that do not match the expected plugin set.
Detection Strategies
- Monitor Windows Event ID 7045 (service installed) and 4697 (service installation via Security log) for service names matching the MySQL or MariaDB patterns.
- Audit registry writes to HKLM\SYSTEM\CurrentControlSet\Services\*\ImagePath where the service name matches the vulnerable patterns.
- Correlate Checkmk agent plugin executions with the source binary path and verify the binary signature against expected MySQL or MariaDB vendor signatures.
Monitoring Recommendations
- Establish a baseline of legitimate MySQL and MariaDB service installations across the fleet and alert on deviations.
- Track file integrity on binaries referenced by MySQL or MariaDB services, flagging any write by non-administrative principals.
- Review Checkmk agent plugin execution logs for unexpected binary paths and unusual process lineage from SYSTEM-context processes.
How to Mitigate CVE-2024-47091
Immediate Actions Required
- Upgrade Checkmk to 2.4.0p29, 2.3.0p47, or a later patched release on all Windows hosts running the agent.
- Decommission Checkmk 2.2.0 deployments because the branch has reached End of Life and will not receive a fix.
- Audit Windows hosts for unauthorized services matching the MySQL or MariaDB name patterns and remove any that are not legitimate.
Patch Information
Checkmk has released fixed builds documented in Checkmk Werk 19198. Apply the patched agent package to every Windows host monitored by Checkmk. Verify the agent version after deployment using check_mk_agent.exe --version to confirm the upgrade took effect.
Workarounds
- Disable the mk_mysql plugin on Windows hosts that do not run MySQL or MariaDB until the patched agent is deployed.
- Restrict the ability to create or modify Windows services to administrative accounts only by reviewing the local SeCreateServicePrivilege assignment and service security descriptors.
- Apply strict NTFS access control lists to MySQL and MariaDB binary directories so non-administrative users cannot overwrite referenced executables.
# Configuration example: remove the mk_mysql plugin from a Windows Checkmk agent install
del "C:\ProgramData\checkmk\agent\plugins\mk_mysql.vbs"
del "C:\ProgramData\checkmk\agent\plugins\mk_mysql.ps1"
sc query CheckmkService
sc stop CheckmkService
sc start CheckmkService
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
