Monitoring tool Zabbix: Critical gap enables control takeover

A critical security vulnerability has been discovered in the monitoring tool Zabbix. Attackers can misuse it to completely compromise vulnerable instances.

As the manufacturer of the open source software states in a security advisory, non-administrative users with the default user role or any other role that allows API access can exploit the SQL injection vulnerability. The vulnerability is located in the addRelatedObjects function in the CUser class. This is called by the CUser.get function, which is available to any user with API access (CVE-2024-42327, CVSS 9.9, risk"critical").

Many Zabbix servers accessible on the Internet

The IT researchers at Qualys have found more than 83,000 Zabbix instances accessible from the Internet using the FOFA search engine. Vulnerable are versions 6.0.0-6.0.31, 6.4.0-6.4.16 and 7.0.0. The developers close the gap with versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1. However, much newer versions are now available –. These fix the above-mentioned and other vulnerabilities, so admins should update to these newer versions.

The release candidates date back to July of this year, but information on the vulnerability has only now been published. The new versions also seal further security leaks and correct some errors. The manufacturer does not provide any information on whether the security gaps are already being attacked. However, anyone still using older versions of the open source software should update to the newer versions as soon as possible.

In mid-August, critical security vulnerabilities in Zabbix became known that could allow attackers to view passwords in plain text or inject malicious code. The programmers have also initially closed these gaps with release candidates.

(dmk)