Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Found in Zabbix Network Monitoring Tool

A critical-severity vulnerability in open source enterprise network monitoring tool Zabbix could lead to full system compromise.

Zabbix has warned of a critical-severity vulnerability in its open source enterprise networking monitoring solution that could allow attackers to inject arbitrary SQL queries and compromise data or the system.

Tracked as CVE-2024-42327 (CVSS score of 9.9), the security defect exists in a function that is available to any user with a role that has API access, Zabbix warned.

“A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability,” the company notes in its advisory.

“An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access,” it continues.

The vulnerability was also analyzed by Qualys, which noted that exploitation could allow attackers to escalate privileges and gain complete control of vulnerable Zabbix servers. The cybersecurity firm has seen over 83,000 internet-exposed Zabbix servers.

The flaw, the vendor announced, affects Zabbix versions 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0.

Advertisement. Scroll to continue reading.

Although an advisory on CVE-2024-42327 was published only last week, patches for the issue were included in versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1, which were released in July.

The patched iterations also resolve CVE-2024-36466 (CVSS score of 8.8), an authentication bypass issue that could allow an attacker to sign a forged zbx_session cookie and log in with administrator permissions.

Zabbix version 7.0.1rc1 also fixes CVE-2024-36462, an uncontrolled resource consumption vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition.

The company makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their installations to a patched version as soon as possible.

According to Zabbix, its monitoring solution is used by organizations in the education, finance, food, healthcare, IT, manufacturing, and retail sectors around the world.

Related: Ivanti Patches 50 Vulnerabilities Across Several Products

Related: High-Severity Vulnerabilities Patched in Zoom, Chrome

Related: Serious Vulnerabilities Patched in OpenCV Computer Vision Library

Related: How to Fix a Dysfunctional Security Culture

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.