Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool

The United States Cybersecurity and Infrastructure Security Agency (CISA) this week expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution.

The United States Cybersecurity and Infrastructure Security Agency (CISA) this week expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution.

Tracked as CVE-2022-23131 and CVE-2022-23134, the two vulnerabilities could be exploited to bypass authentication and gain administrator privileges, which could then allow an attacker to execute arbitrary commands.

Zabbix is an open-source monitoring platform that organizations deploy within their networks to collect and centralize data such as CPU load and network traffic.

Identified by security researchers with SonarSource, a provider of code quality and security solutions, the two vulnerabilities are related to the manner in which Zabbix stores session data on the client-side and could lead to complete network compromise.

No information appears to be available on the attacks exploiting these vulnerabilities, but public proof-of-concept (PoC) exploits exist and SonarSource noted that Zabbix is a “high-profile target for threat actors” and that an unnamed exploit acquisition company has expressed interest in Zabbix.

The security holes were identified in Zabbix Web Frontend and impact all supported versions of the component prior to 5.4.8, 5.0.18 and 4.0.36. Both vulnerabilities were addressed in Zabbix Web Frontend 6.0.0beta2, 5.4.9, 5.0.19, and 4.0.37.

The flaws only impact instances where Security Assertion Markup Language (SAML) Single-Sign-On (SSO) authentication is enabled, and can be exploited without prior knowledge of the target.

[READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes]

After bypassing authentication and escalating privileges to administrator, an attacker could leverage previous vulnerabilities to execute commands on linked Zabbix Server and Zabbix Agent instances. Execution of commands cannot be disallowed on the Server component, SonarSource explains.

CVE-2022-23131 exists because, although Zabbix has a mechanism of validating the user when accessing data stored client-side, that function is never called for the session entry (containing user attributes) created when SAML authentication is used.

“Once authenticated as Admin on the dashboard, attackers can execute arbitrary commands on any attached Zabbix Server, and on Zabbix Agents if explicitly allowed in the configuration,” SonarSource says.

Also an unsafe use of the session, CVE-2022-23134 was identified in setup.php, a script that is only accessible to authenticated and highly-privileged users. Because the validation function is not called here either, an attacker could re-run the latest step of the installation process, during which the Zabbix Web Frontend configuration file is created.

[READ: CISA Urges Organizations to Patch Recent Chrome, Magento Zero-Days]

“As a result, existing configuration files can be overridden by attackers even if the Zabbix Web Frontend instance is already in a working state. By pointing to a database under their control, attackers can then gain access to the dashboard with a highly-privileged account,” SonarSource explains.

While this vulnerability cannot be exploited to reach Zabbix Agents, the Zabbix Server is accessible this way, because it uses the same database as Zabbix Web Frontend. According to SonarSource, an attacker could chain the flaw with a code execution bug to take over the database and move laterally on the network.

Patches for these vulnerabilities were released in late December, with full technical details published last week. Now, CISA warns that the two bugs are already exploited in the wild, urging organizations to update to a fixed Zabbix Web Frontend version as soon as possible.

As per Binding Operational Directive (BOD) 22-01, which was published alongside CISA’s Known Exploited Vulnerabilities Catalog in November, federal agencies should install the available patches within the next two weeks.

Related: CISA Creates List of Free Cybersecurity Tools and Services for Defenders

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Related: CISA Urges Organizations to Patch Exploited Windows Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.