Critical Security Fix for Checkmk Appliances

Dear Checkmk Community,

We would like to inform you that there was a critical security vulnerability that was recently identified in the Checkmk Appliance.

The vulnerability affects all releases of the Checkmk Appliance before 1.4.17 and all models (rack, virt).

An unauthenticated attacker would be able to retrieve the device secret from the web configuration interface of the appliance and could bypass the authentication. This vulnerability has been rated as severity rating Critical (10.0), according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was identified during an internal security audit. Once we became aware of the issue, we took immediate action to investigate the matter and published the release 1.4.17 to fix the issue.

In order to fix the vulnerability in your environment, we highly recommend to update your Checkmk appliance installations to 1.4.17 or newer.

Details can be found here: SEC: Fix web configuration authentication bypass

The version can be downloaded here: Download Checkmk for free | Checkmk

So far we do not have any evidence to suggest that this vulnerability was used for attacking a productive system. If you think your system may have been compromised, please contact us immediately.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers. If you have any questions, please feel free to contact us using your support contact.

Best regards,
Faye, on behalf of the tribe29 team


Customer questions: Will the new firmware still be able to run 1.6 sites?

Yes, 1.6 sites should work just fine.

1 Like


if you run checkmk Version 1.6 you need to downgrade the agent version in the firmware 1.4.17 to 1.6


1 Like