Timing Attack Vulnerability in Zabbix Monitoring Software by Zabbix
CVE-2024-36469

2.3LOW

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 2 April 2025

What is CVE-2024-36469?

A vulnerability exists in Zabbix Monitoring Software where the execution time for a failed login attempt varies based on whether a username exists in the system or not. This discrepancy can be exploited by an attacker to infer valid usernames through careful observation of response times during login attempts, potentially facilitating unauthorized access.

Affected Version(s)

Zabbix 5.0.0 <= 5.0.45

Zabbix 6.0.0 <= 6.0.37

Zabbix 7.0.0 <= 7.0.8

References

https://support.zabbix.com/browse/ZBX-26255

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
May 28, 2024

Credit

Zabbix wants to thank Jens Just Iversen (jensji) for submitting this report on the HackerOne bug bounty platform