CVE-2024-22116 (CVSS 9.9): Critical RCE Vulnerability Found in Zabbix Monitoring Solution
Zabbix, a widely-adopted open-source solution for enterprise-level IT infrastructure monitoring, has disclosed a critical security vulnerability that could lead to full system compromise. The vulnerability, identified as CVE-2024-22116 and assigned a CVSS severity score of 9.9, underscores the potential for severe consequences if left unaddressed.
Zabbix is renowned for its ability to monitor a broad spectrum of IT resources, from simple applications to complex, large-scale environments. However, this very flexibility has opened the door to a severe security flaw. The vulnerability resides within the script execution functionality of the Monitoring Hosts section, specifically involving the Ping script.
In affected versions, an administrator with restricted permissions can exploit the lack of default escaping for script parameters. This oversight allows the administrator to execute arbitrary code via the Ping script, potentially leading to full infrastructure compromise. Given that Zabbix is often deployed in mission-critical environments, the impact of such an exploit could be devastating.
The vulnerability affects the following versions of Zabbix:
- 6.4.0 to 6.4.15
- 7.0.0alpha1 to 7.0.0rc2
Zabbix has addressed this issue in the following fixed versions:
- 6.4.16rc1
- 7.0.0rc3
Administrators are strongly urged to update to these versions as soon as possible to mitigate the risk of exploitation.
The consequences of this vulnerability are far-reaching. If successfully exploited, an attacker could gain the ability to execute arbitrary code, effectively taking control of the Zabbix server. From there, the attacker could launch further attacks across the monitored infrastructure, leading to data breaches, service disruptions, or even complete network takeovers.
Given the critical role that Zabbix plays in monitoring and managing enterprise environments, the exploitation of this vulnerability could result in a significant loss of service availability, data integrity, and confidentiality.
The discovery of CVE-2024-22116 was credited to the security researcher known as “justonezero,” who responsibly disclosed the vulnerability through the HackerOne bug bounty platform.
In response to the discovery of this flaw, the Zabbix Team has released an update that not only addresses this critical issue but also patches several other vulnerabilities, each with varying degrees of severity.