Zabbix Server Vulnerable to SQL Injection via Command Execution
CVE-2024-22120

9.1CRITICAL

Key Information:

Vendor
Zabbix
Status
Zabbix
Vendor
CVE Published:
17 May 2024

Badges

📈 Trended📈 Score: 5,690👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%📰 News Worthy

What is CVE-2024-22120?

CVE-2024-22120 is a vulnerability found in the Zabbix server, a popular open-source monitoring solution utilized by organizations to oversee their IT infrastructure and services. This particular flaw is rooted in SQL injection through command execution, which arises when user input is improperly handled—in this case, the "clientip" field. Exploiting this vulnerability can severely undermine an organization’s security posture by allowing attackers to execute arbitrary commands, potentially leading to unauthorized access and data manipulation.

Technical Details

The vulnerability is characterized by its ability to perform time-based blind SQL injection through the "clientip" field in Zabbix's command execution functionalities. When scripts configured in Zabbix are executed, an audit log entry is generated; however, since the "clientip" field is not sufficiently sanitized, it becomes a vector for SQL injection attacks. This flaw highlights the lack of preventive measures in input validation within the Zabbix server, which can be exploited by malicious actors to compromise the integrity of the database and the overall environment.

Impact of the Vulnerability

  1. Unauthorized Command Execution: Attackers can gain the capability to execute arbitrary commands on the Zabbix server, potentially leading to further system compromise and manipulation of configurations.

  2. Data Breach Risks: By exploiting this vulnerability, attackers may gain access to sensitive data stored in the database, resulting in data breaches that can affect both the organization and its users.

  3. Disruption of Monitoring Services: The integrity of monitoring services can be severely impacted as the attackers can alter or disable monitoring functionalities, hampering the organization’s ability to oversee its IT infrastructure effectively.

Affected Version(s)

Zabbix 6.0.0 <= 6.0.27

Zabbix 6.4.0 <= 6.4.12

Zabbix 7.0.0alpha1 <= 7.0.0beta1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-22120-RCE
Created by W01fh4cker

News Articles

favicon imageZabbix

[#ZBX-24505] Time Based SQL Injection in Zabbix Server Audit Log (CVE-2024-22120)

Summary: Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to...

favicon imageGridinsoft

Zabbix SQLi Vulnerability Leads to RCE, Latest Versions Affected – Gridinsoft Blog

Zabbix, a popular network monitoring tool, appears to be vulnerable to SQL injection attacks with little to no requirements.

favicon imageQualys

Qualys ThreatPROTECT – Live Threat Intelligence Feed

The Zabbix server is vulnerable to an SQL injection vulnerability, tracked as CVE-2024-22120. The vulnerability has been given a critical severity rating with a CVSS score of 9.1. Successful exploitation of...

References

https://support.zabbix.com/browse/ZBX-24505

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by ÇözümPark

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zabbix wants to thank Maxim Tyukov (mf0cuz) who submitted this report in HackerOne bounty hunter platform
.