CVE-2022-47909

MEDIUM

Checkmk <= 2.1.0p11, <= 2.0.0p28, 1.6.0 - Livestatus Query Language Injection via AuthUser HTTP Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-47909. PoCs published by JacobEbben.

AI-analyzed exploit summary This PoC exploits CVE-2022-47909 and CVE-2022-48321 in Checkmk to achieve unauthenticated arbitrary file deletion via SSRF and LQL injection. It leverages the Agent_Receiver endpoint and a line feed injection in the ajax_graph_images.py endpoint to execute a Nagios External Command for file deletion.

Description

Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.

Exploits (1)

nomisec WORKING POC 1 stars
by JacobEbben · poc
https://github.com/JacobEbben/CVE-2022-47909_unauth_arbitrary_file_deletion

This PoC exploits CVE-2022-47909 and CVE-2022-48321 in Checkmk to achieve unauthenticated arbitrary file deletion via SSRF and LQL injection. It leverages the Agent_Receiver endpoint and a line feed injection in the ajax_graph_images.py endpoint to execute a Nagios External Command for file deletion.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL)
No auth needed
Prerequisites: Network access to the Checkmk agent_receiver endpoint · Checkmk service with write permissions on the target file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 6.8
EPSS 0.0039
EPSS Percentile 30.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Details

CWE
CWE-20
Status published
Products (2)
checkmk/checkmk 2.1.0 (21 CPE variants)
checkmk/checkmk 2.0.0 (29 CPE variants)
Published Feb 20, 2023
Tracked Since Feb 18, 2026