/
Checkmk is not affected by RediShell (CVE-2025-49844)

Checkmk is not affected by RediShell (CVE-2025-49844)

Two critical vulnerabilities (CVE-2025-46817 & CVE-2025-49844) are a Lua sandbox breakout flaw that targets Redis.

LAST TESTED ON CHECKMK 2.4.0P1

Table of Contents

Problem

CVE-2025-46817 & CVE-2025-49844, nicknamed “RediShell”, are a Lua sandbox breakout vulnerability that targets Redis. An attacker who can execute a custom Lua script against a vulnerable Redis instance may escape the Lua sandbox and execute arbitrary operations on the host.

Impact

  • Checkmk has investigated CVE-2025-46817 & CVE-2025-49844 and determined that Checkmk is not affected from an application perspective.

  • Checkmk does not provide any mechanism to invoke arbitrary or custom Lua scripts, nor does it expose a direct network attack vector that would allow an unauthenticated attacker to supply and run such scripts against a Redis instance used by Checkmk.

  • Checkmk does ship a redis-server instance that, if connected to, could run Lua scripts. That instance is configured to accept connections only via a Unix socket. Access to that socket requires privileges equivalent to the Checkmk site user. If an attacker had the ability to exploit RediShell against that socket, they would already have privileges equivalent to the site user prior to breaking out of the Lua sandbox. In other words, exploitation would not meaningfully escalate privileges beyond a compromise that already has site user access.

Solution

  • From an application standpoint, no further immediate action is required because Checkmk does not expose the required attack surface to run custom Lua scripts.

  • Recommended hardening steps for administrators:

    • Ensure the Checkmk site user account and system are secured and that only trusted administrators can access the host and the Checkmk site user context.

    • Keep system packages and the bundled redis-server up to date with upstream security fixes as they become available.

    • Restrict access to the Redis socket at the OS level. Verify file permissions on the socket so only the intended site user and administrators can access it.

    • Monitor for unexpected local access to the Redis socket and for suspicious processes running as the site user.

    • If you have additional external Redis instances integrated with your environment, ensure they are patched, require authentication, and are not exposed to untrusted networks.

Related articles