Upcoming Checkmk Security Release 2.4.0p13, 2.3.0p38 and 2.2.0p46

martin.hirschvogel · October 6, 2025, 1:36pm

Dear community,

This is an announcement for an upcoming security release of Checkmk. Having
such a pre-announcement was requested especially by users in larger or
regulated environments, who need time to prepare updates and align with
other teams.

We are thus announcing the upcoming security release to help you estimate
how your setup is affected and to plan your patch roll-out.

On Thursday, October 9th, we will publish a patch release for all currently
supported versions of Checkmk: 2.2.0, 2.3.0 and 2.4.0. The patch will
contain fixes for three vulnerabilities, two of which have a high severity.
All editions of Checkmk are affected.

Further information about the vulnerabilities:

A vulnerability in a plugin for the Windows agent could allow
low-privileged users on the Windows host to escalate privileges to Local
System.
Authenticated users in Checkmk could be able to break the configuration
of the site, causing a denial-of-service.
Under certain unlikely circumstances, sensitive information entered by
the user could be leaked via the URL.

We greatly thank you for using Checkmk and wish you a successful monitoring,

Your Checkmk Team

briand · October 6, 2025, 2:01pm

Is it possible to get the related CVE numbers to communicate with our regulated customers?

martin.hirschvogel · October 6, 2025, 3:28pm

Hey Brian, this is more a heads-up, that there will be a security release, so that customers, which have processes around updating critical software can plan ahead and block a slot for updating Checkmk on that day.
We only provide details on the day of the release on purpose.

pvarnas · October 10, 2025, 7:09am

Hello!
Have the security patches been included in 2.3.0p38?
I see nothing related in the change logs.

martin.hirschvogel · October 10, 2025, 7:09am

Yes, see here: Werks 2.3.0p38

CFriedrich · October 10, 2025, 9:43am

Jetzt auch bei Heise:

martin.hirschvogel · October 10, 2025, 10:22am

Have to see it positively. We are perceived to be relevant enough now that people talk about it
We will still be as transparent as we have been in our history on any security topic.
I recommend our video on how we deal with security vulnerabilities: https://www.youtube.com/watch?v=SxWhx0-BJ3Y

justanothercompany · October 10, 2025, 10:33am

Hi!
After updating neither “Bake agents” nor “Sign and Bake agents” works:

Agent baking and signing for all hosts started...
2025-10-10 12:30:16,762 [40] [cmk.web.automations 1616464] Error running "{'command': 'bake-agents', 'args': []}" (exit code 2)
2025-10-10 12:30:16,765 [40] [cmk.web.background-job 1616464] Exception in background function (Crash ID: 1d06a260-a5c4-11f0-87fe-cb640636bb44)
Traceback (most recent call last):
  File "/omd/sites/main/lib/python3/cmk/gui/background_job/_process.py", line 186, in _execute_function
    target.callable(job_interface, target.args)
  File "/omd/sites/main/lib/python3/cmk/gui/cee/agent_bakery/bake_agents.py", line 151, in bake_agents_job_entry_point
    if output := bake_agents(
                 ^^^^^^^^^^^^
  File "/omd/sites/main/lib/python3/cmk/gui/watolib/check_mk_automations.py", line 560, in bake_agents
    _automation_serialized(
  File "/omd/sites/main/lib/python3/cmk/gui/watolib/check_mk_automations.py", line 61, in _automation_serialized
    cmdline, serialized_result = check_mk_local_automation_serialized(
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/omd/sites/main/lib/python3/cmk/gui/watolib/automations.py", line 158, in check_mk_local_automation_serialized
    raise MKAutomationException(msg)
cmk.gui.watolib.automations.MKAutomationException: Error running automation call <tt>bake-agents</tt> (exit code 2), error: <pre>[Errno 2] No such file or directory: '/omd/sites/main/var/check_mk/agents/windows_msi/packages/3d52a7c14bd9ddbf'
</pre>
Exception (Crash ID: 1d06a260-a5c4-11f0-87fe-cb640636bb44): Error running automation call <tt>bake-agents</tt> (exit code 2), error: <pre>[Errno 2] No such file or directory: '/omd/sites/main/var/check_mk/agents/windows_msi/packages/3d52a7c14bd9ddbf'
</pre>

In the directory, there is just the 3d52a7c14bd9ddbf.conf

I can send you the logfiles if needed.

Regards

GregorG · October 10, 2025, 11:10am

Hi justanothercompany,

as this is a core functionality we verified this functionalities successfully in QA with several installations and in different setup it seems like not to be a general issue with this patch.

We would like to investigate this further and need from you to know from which version to which version you updated, uploading the crash dump if possible.

If you have support, please use the support ticket for it, so we have more context about this case, otherwise I would ask you to open a new thread for that as it seems to be not a general issue with the patch - though we want to investigate that further.

If it turns out that its a more general issue we would update all users in this thread as well of course.

Best regards,
Gregor from QA