CVE-2024-42330 (CVSS 9.1): Zabbix Patches Critical Remote Code Execution Vulnerability
Popular open-source monitoring tool Zabbix has released urgent security updates to address a critical vulnerability that could allow attackers to execute arbitrary code on vulnerable systems. The vulnerability, tracked as CVE-2024-42330 and assigned a CVSS score of 9.1, affects multiple versions of Zabbix 6.0, 6.4, and 7.0.
Zabbix is widely used by organizations of all sizes to monitor their IT infrastructure, including networks, servers, and cloud services. This vulnerability stems from improper encoding of HTTP headers in the HttpRequest object, which can be exploited to craft malicious requests that lead to remote code execution.
“The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript,” the advisory explains. “This allows to create internal strings that can be used to access hidden properties of objects.”
This vulnerability was discovered by security researcher “zhutyra” through the HackerOne bug bounty platform and responsibly disclosed to Zabbix. Zabbix has promptly addressed the issue by releasing patched versions:
- 6.0.34rc1
- 6.4.19rc1
- 7.0.4rc1
All users of affected Zabbix versions are strongly urged to update to the latest releases immediately. Failing to do so could leave systems exposed to serious compromise.
Even widely used and trusted open-source tools like Zabbix can contain vulnerabilities that attackers can exploit. By promptly applying patches and following security guidelines, organizations can significantly reduce their risk of cyberattacks.
