Werk #19198: Fix privilege escalation via mk_mysql plugin on Windows
| Component | Checks & agents | ||||
| Title | Fix privilege escalation via mk_mysql plugin on Windows | ||||
| Date | Apr 24, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
The mk_mysql agent plugin on Windows discovers MySQL and MariaDB instances by
querying Windows services whose names match "MySQL" or "MariaDB". It then
constructs and executes commands based on the service's binary path.
An unprivileged local user who is able to create a Windows service with "MySQL" in its name — or compromise an existing one — and who additionally has write access to the referenced binary paths, could leverage this to execute arbitrary code in the context of the Checkmk agent service, which typically runs as SYSTEM. This constitutes a local privilege escalation.
Affected Versions: * 2.4.0 * 2.3.0 * 2.2.0 (EOL)
Mitigations:
If updating is not possible, disable the mk_mysql plugin on affected Windows
hosts. Additionally, ensure that only administrators can create or modify Windows
services, and restrict write access to directories containing MySQL or MariaDB
binaries to privileged users only.
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.2 Medium
(CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H) and
assigned CVE-2024-47091.