Werk #18207: Fix security vulnerability in win_license.bat plugin
| Component | Agent bakery | ||||||||
| Title | Fix security vulnerability in win_license.bat plugin | ||||||||
| Date | Aug 21, 2025 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
On Windows hosts to force the English output from the win_license.bat plugin,
special copying logic is used (this way, the default slmgr.vbs script cannot find the language files).
As the script is copied to a global, unprotected location, every user has access to edit this script.
This can be exploited for malicious intent.
To eliminate this vulnerability, the slmgr.vbs script is copied to the protected location
in %SystemDrive%\ProgramData\checkmk\agent\tmp and is deleted afterwards.
Note: Only users who use the Windows License plug-in are affected by this issue.
We thank Lisa Gnedt (SBA Research) for reporting this issue.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0
- 2.1.0 (EOL)
Mitigations:
If you cannot update, disable the Windows License plug-in.
Vulnerability Management:
We have rated the issue with a CVSS Score of 8.8 High (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) and assigned CVE-2025-32919.