CVE-2024-0670

HIGH

Checkmk <2.2.0p23-2.0.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2024-0670. PoCs published by fsoc-ghost-0x, elsevar11, magicrc.

AI-analyzed exploit summary This repository contains a functional C++ exploit for CVE-2024-0670, targeting CheckMK Agent on Windows for local privilege escalation (LPE). The exploit includes detailed logging, interactive shell capabilities, and reverse shell functionality.

Description

Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges

Exploits (7)

nomisec WORKING POC 1 stars
by fsoc-ghost-0x · poc
https://github.com/fsoc-ghost-0x/Fsociety-CVE-2024-0670-CheckMK-LPE

This repository contains a functional C++ exploit for CVE-2024-0670, targeting CheckMK Agent on Windows for local privilege escalation (LPE). The exploit includes detailed logging, interactive shell capabilities, and reverse shell functionality.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CheckMK Agent (Windows)
No auth needed
Prerequisites: Access to a vulnerable CheckMK Agent installation on Windows · Netcat (nc.exe) for reverse shell functionality
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by elsevar11 · poc
https://github.com/elsevar11/CVE-2024-0670-CheckMK-Agent-Local-Privilege-Escalation-Exploit

This repository contains a functional proof-of-concept exploit for CVE-2024-0670, a local privilege escalation vulnerability in the CheckMK Windows Agent. The exploit leverages writable temp file paths executed during MSI repair to achieve SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CheckMK Windows Agent
Auth required
Prerequisites: Low-privileged Windows user · PowerShell enabled · CheckMK Windows Agent installed · Ability to download files
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by magicrc · poc
https://github.com/magicrc/CVE-2024-0670

This repository contains a functional PowerShell exploit for CVE-2024-0670, which leverages a race condition in the CheckMK Agent's handling of temporary files in C:\Windows\Temp. The exploit pre-positions read-only .cmd files that are executed with SYSTEM privileges when the agent's MSI installer is triggered.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CheckMK Agent on Windows
Auth required
Prerequisites: Local access to a Windows system with CheckMK Agent installed · Write access to C:\Windows\Temp · CheckMK Agent MSI installer path
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Nikopmpm · poc
https://github.com/Nikopmpm/Fsociety-CVE-2024-0670-CheckMK-LPE

This repository contains a functional C++ exploit for CVE-2024-0670, targeting CheckMK Agent on Windows for local privilege escalation (LPE). The code includes detailed exploit logic, helper functions, and interactive shell capabilities, indicating a well-developed PoC.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CheckMK Agent (Windows)
No auth needed
Prerequisites: Access to a vulnerable CheckMK Agent installation on Windows · Local user access to execute the exploit
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by tralsesec · poc
https://github.com/tralsesec/CVE-2024-0670

This repository contains a functional PowerShell exploit for CVE-2024-0670, a local privilege escalation vulnerability in the CheckMK Agent. The exploit leverages predictable file execution during an MSI repair process to escalate privileges to NT AUTHORITY\SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CheckMK Windows Agent
Auth required
Prerequisites: Windows machine with CheckMK Agent installed · Unprivileged local user account · Ability to write to C:\Windows\Temp\ · PowerShell execution policy permitting script execution
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by Nikopmpm · poc
https://github.com/Nikopmpm/nikopmpm.github.io

The repository lacks actual exploit code and instead directs users to download an executable from an external release page. The README is vague, uses marketing language, and does not provide technical details about the vulnerability or exploitation process.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Theoretical
Reliability
Theoretical
Target: CheckMK
No auth needed
Prerequisites: Windows 10/11 · Administrator rights
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by zhulin837 · poc
https://github.com/zhulin837/checkmk_cve-2024-0670

This repository contains a functional PowerShell script that exploits CVE-2024-0670 in Check MK by leveraging MSI repair to execute arbitrary commands with SYSTEM privileges. The script identifies Check MK MSI files, seeds command files, and triggers an MSI repair to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Check MK (version not specified)
Auth required
Prerequisites: Local access to a Windows system with Check MK installed · Knowledge of a local admin or service account credentials
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0034
EPSS Percentile 25.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-427
Status published
Products (2)
checkmk/checkmk 2.1.0 (49 CPE variants)
checkmk/checkmk 2.2.0
Published Mar 11, 2024
Tracked Since Feb 18, 2026