Cyber Resilience

CVE-2025-39666

CriticalLPE

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 2.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-39666 is a critical-severity Untrusted Search Path (CWE-426) vulnerability in Checkmk Checkmk. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2025-39666 is a local privilege escalation vulnerability affecting Checkmk versions 2.2.0 (end-of-life), 2.3.0 prior to 2.3.0p46, 2.4.0 prior to 2.4.0p25, and 2.5.0 (beta) prior to 2.5.0b3. It stems from CWE-426 (Untrusted Search Path) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enabling a site user to manipulate files within the site context. These files are subsequently processed by the `omd` administrative command executed with root privileges, allowing unauthorized escalation.

An attacker with local access and low privileges (PR:L), such as a site user, can exploit this vulnerability with low attack complexity (AC:L) but requires user interaction (UI:R). Successful exploitation grants root-level access (C:H/I:H/A:H), as indicated by the CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H). No remote access is needed, limiting the attack surface to compromised local accounts.

The Checkmk advisory at https://checkmk.com/werk/18891 details mitigation through patching: upgrade to Checkmk 2.3.0p46 or later, 2.4.0p25 or later, or 2.5.0b3 or later for beta users. Checkmk 2.2.0 users should migrate off the EOL version, as no patches are available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are…

more

processed when the `omd` administrative command is run by root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Local untrusted search path (CWE-426) in root-run omd command directly enables privilege escalation via search-order hijacking of files manipulated by low-privileged site user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24096Same product: Checkmk Checkmk
CVE-2026-33456Same product: Checkmk Checkmk
CVE-2025-1075Same product: Checkmk Checkmk
CVE-2025-0145Shared CWE-426
CVE-2025-24789Shared CWE-426
CVE-2025-21399Shared CWE-426
CVE-2026-3780Shared CWE-426
CVE-2026-25926Shared CWE-426
CVE-2026-30906Shared CWE-426
CVE-2022-4987Shared CWE-426

Affected Assets

checkmk
checkmk
2.2.0, 2.3.0, 2.4.0, 2.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the privilege escalation by requiring timely patching of vulnerable Checkmk versions to versions where manipulated site files no longer lead to root escalation.

prevent

Enforces least privilege to prevent site users from having write access to files in the site context processed by the root-privileged omd command.

prevent

Restricts changes to files within the site context that are processed by administrative root commands, preventing manipulation by low-privileged users.

References