CVE-2025-39666

HighLPE

Published: 07 April 2026

Published

07 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-39666 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Checkmk Checkmk. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the privilege escalation by requiring timely patching of vulnerable Checkmk versions to versions where manipulated site files no longer lead to root escalation.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent site users from having write access to files in the site context processed by the root-privileged omd command.

CM-5 Access Restrictions for Change good match

prevent

Restricts changes to files within the site context that are processed by administrative root commands, preventing manipulation by low-privileged users.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

Why these techniques?

Local untrusted search path (CWE-426) in root-run omd command directly enables privilege escalation via search-order hijacking of files manipulated by low-privileged site user.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are…

processed when the `omd` administrative command is run by root.

Deeper analysisAI

CVE-2025-39666 is a local privilege escalation vulnerability affecting Checkmk versions 2.2.0 (end-of-life), 2.3.0 prior to 2.3.0p46, 2.4.0 prior to 2.4.0p25, and 2.5.0 (beta) prior to 2.5.0b3. It stems from CWE-426 (Untrusted Search Path) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enabling a site user to manipulate files within the site context. These files are subsequently processed by the `omd` administrative command executed with root privileges, allowing unauthorized escalation.

An attacker with local access and low privileges (PR:L), such as a site user, can exploit this vulnerability with low attack complexity (AC:L) but requires user interaction (UI:R). Successful exploitation grants root-level access (C:H/I:H/A:H), as indicated by the CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H). No remote access is needed, limiting the attack surface to compromised local accounts.

The Checkmk advisory at https://checkmk.com/werk/18891 details mitigation through patching: upgrade to Checkmk 2.3.0p46 or later, 2.4.0p25 or later, or 2.5.0b3 or later for beta users. Checkmk 2.2.0 users should migrate off the EOL version, as no patches are available.