An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.
The script execution functionality in the Monitoring Hosts section does not apply default escaping of parameters passed to scripts. A logged-in administrator with limited privileges can modify the Ping script parameters in such a way as to inject and execute arbitrary system commands (command injection). The lack of input data sanitization allows passing a malicious payload, which is subsequently interpreted and executed by the system.
An attacker can execute arbitrary code on the Zabbix server, leading to complete system compromise — loss of confidentiality, integrity and availability of data and the entire monitored infrastructure.
Security patches provided by the vendor should be applied according to the references. Users of Debian distributions should check security updates announced on the debian-lts-announce mailing list (October 2024). It is also recommended to limit the number of accounts with administrative privileges to the minimum necessary.
Zabbix — versions indicated in vendor references (details: https://support.zabbix.com/browse/ZBX-25016)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HZabbix
APPZabbix7.0.06.4.9 – 6.4.15
Related vulnerabilities
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modif...
SQL Injection w Zabbix – podatność w klasie CUser umożliwia eskalację uprawnień
Zabbix: niekodowane nagłówki HTTP umożliwiają dostęp do ukrytych właściwości obiektów
Zabbix: modyfikacja wskaźników pamięci w silniku JavaScript (RCE/DoS)
Zabbix Server — time-based blind SQL injection przez pole clientip