Skip to main content
CVE Vulnerability Database

CVE-2024-8606: Checkmk 2FA Bypass Vulnerability

CVE-2024-8606 is a two-factor authentication bypass flaw in Checkmk RestAPI that allows authenticated users to circumvent 2FA security. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2024-8606 Overview

CVE-2024-8606 is an authorization vulnerability in the Checkmk REST API. The flaw allows authenticated users to bypass two-factor authentication (2FA) enforcement when interacting with the REST API. Checkmk is a widely deployed IT infrastructure monitoring platform used to observe servers, networks, applications, and cloud workloads.

The vulnerability affects Checkmk versions earlier than 2.3.0p16 and earlier than 2.2.0p34. It is classified under [CWE-863: Incorrect Authorization]. The vendor published remediation in Checkmk Werk #16218.

Critical Impact

An authenticated user can bypass the second authentication factor when calling REST API endpoints, defeating 2FA controls that protect privileged monitoring operations and sensitive infrastructure data.

Affected Products

  • Checkmk versions 2.3.0 through 2.3.0p15
  • Checkmk versions 2.2.0 through 2.2.0p33
  • Earlier supported Checkmk 2.x branches that include the REST API

Discovery Timeline

  • 2024-09-23 - CVE CVE-2024-8606 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-8606

Vulnerability Analysis

The vulnerability resides in the authentication and authorization flow of the Checkmk REST API. When 2FA is enabled for a user, the web UI enforces a second-factor challenge after primary credential validation. The REST API authentication path did not enforce the same 2FA gate. An authenticated user with valid primary credentials could issue REST API requests and access protected functionality without ever completing the second factor.

The issue is an authorization decision flaw rather than a credential compromise. The API accepts the session or credential as fully authenticated despite the user having an unsatisfied 2FA requirement. This collapses defense-in-depth, because operators who require step-up authentication for administrative actions can be impersonated using only a stolen password, leaked API token, or phished primary credential.

Exploitation requires network reachability to the Checkmk REST API endpoint and a valid set of primary credentials for an account where 2FA was assumed to be enforcing additional assurance.

Root Cause

The REST API authentication layer did not consult the same 2FA enforcement logic as the web UI. The 2FA verification step was effectively missing from the REST API request authorization path, so the API treated primary authentication as sufficient. This is a classic [CWE-863] incorrect authorization condition where one interface enforces a security control and a parallel interface does not.

Attack Vector

An attacker who has obtained primary credentials for a Checkmk account, through phishing, password reuse, or credential stuffing, sends authenticated requests directly to the REST API. The API processes the requests using the account's privileges and skips the 2FA challenge that the web UI would have required. The attacker can then enumerate hosts, read monitoring data, alter configuration, or perform actions normally gated by step-up authentication. Refer to Checkmk Werk #16218 for vendor technical details.

Detection Methods for CVE-2024-8606

Indicators of Compromise

  • REST API requests to /check_mk/api/ endpoints from accounts that have 2FA enabled but no corresponding 2FA challenge events in the web UI logs.
  • Unusual source IP addresses or user agents issuing authenticated REST API calls for accounts that normally only operate through the browser.
  • Configuration changes, user management actions, or bulk data exports performed through the REST API outside of expected automation windows.

Detection Strategies

  • Correlate REST API authentication events with 2FA challenge events per user and alert when API access occurs without a recent successful second-factor verification.
  • Baseline expected REST API consumers (automation accounts, CI systems) and flag REST API activity by interactive user accounts.
  • Monitor Checkmk audit logs for privileged actions originating from the REST API and compare against expected human or automation behavior.

Monitoring Recommendations

  • Forward Checkmk application, audit, and web server logs to a central analytics platform for correlation with identity provider logs.
  • Alert on first-time REST API usage per user account, especially for administrative roles.
  • Track failed primary authentication followed by successful REST API access from the same source as a credential-stuffing signal.

How to Mitigate CVE-2024-8606

Immediate Actions Required

  • Upgrade Checkmk to 2.3.0p16 or later on the 2.3 branch, or to 2.2.0p34 or later on the 2.2 branch, as described in Checkmk Werk #16218.
  • Rotate passwords and automation tokens for any account where 2FA was assumed to be enforced, particularly administrative and operator roles.
  • Review REST API access logs since the affected versions were deployed and investigate any anomalous activity.

Patch Information

Checkmk addressed the issue by enforcing 2FA in the REST API authentication path so that the same step-up requirement applied to the web UI now applies to API requests. Fixed releases are Checkmk 2.3.0p16 and 2.2.0p34. Patch and advisory details are published in Checkmk Werk #16218.

Workarounds

  • Restrict network access to the Checkmk REST API to trusted management subnets or VPN ranges until patching is complete.
  • Enforce strong, unique passwords for all Checkmk accounts and disable or restrict accounts that do not require REST API access.
  • Where feasible, terminate the Checkmk site behind a reverse proxy that applies an additional authentication layer, such as mutual TLS or an identity-aware proxy.
bash
# Verify the running Checkmk version on a site
omd version

# Example upgrade path for an OMD site (run as root)
omd stop mysite
omd update mysite
omd start mysite

# Confirm the site is on a fixed version (2.3.0p16+ or 2.2.0p34+)
omd version mysite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.