CVE-2025-64996 in Checkmk
Summary
by MITRE • 11/18/2025
In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/24/2025
The vulnerability identified as CVE-2025-64996 affects Checkmk monitoring software across multiple version ranges including all 2.2.0 releases and prior versions of 2.3.0 and 2.4.0. This issue stems from improper file permission handling within the mk_inotify plugin component that is responsible for monitoring file system changes. The flaw creates a critical security weakness by generating files with overly permissive access controls that allow any local user on the system to both read and write to these plugin output files. The mk_inotify plugin operates as part of Checkmk's monitoring infrastructure and is designed to track file system events, making it a critical component for system observability. When this plugin creates output files without proper access restrictions, it fundamentally undermines the security model of the monitoring platform.
The technical implementation of this vulnerability involves the mk_inotify plugin's failure to properly set file permissions during output file creation. This creates a privilege escalation vector where local users can access sensitive monitoring data that should remain restricted to authorized system administrators. The world-readable and world-writable permissions mean that any user account on the system can inspect the plugin's output for potentially sensitive information about system file changes, and subsequently manipulate this data to deceive monitoring systems or hide malicious activities. The impact extends beyond simple data exposure as attackers can modify the monitoring data to create false positives or negatives, potentially masking actual security incidents or creating false alarms that could distract security teams from genuine threats.
From an operational security perspective, this vulnerability represents a significant risk to organizations relying on Checkmk for system monitoring and security operations. The exposure of monitoring data through compromised plugin files could lead to information disclosure of system file access patterns, user activities, and potentially sensitive configuration changes. This vulnerability directly aligns with CWE-732, which describes improper permission assignment, and can be categorized under ATT&CK technique T1070.006 for Indicator Removal on Host. The attack surface is particularly concerning because it affects the fundamental monitoring capabilities of the system, potentially allowing adversaries to establish persistence through manipulation of monitoring data or to hide their activities from detection mechanisms that rely on accurate file system monitoring.
Organizations should immediately upgrade to Checkmk versions 2.4.0p16, 2.3.0p41, or newer releases to remediate this vulnerability. System administrators should also conduct immediate audits of existing mk_inotify plugin output files to identify any potential compromise and verify proper file permissions have been restored. Additionally, implementing proper access control measures including mandatory access controls and regular security scanning of monitoring system components can help detect similar issues in other parts of the infrastructure. The vulnerability demonstrates the critical importance of proper file permission management in security-sensitive applications and highlights the need for comprehensive security testing of monitoring tools that operate with elevated privileges on systems.