Security News > 2022 > February > CISA warns of actively exploited vulnerabilities in Zabbix servers

CISA warns of actively exploited vulnerabilities in Zabbix servers
2022-02-25 07:31

A notification from the U.S. Cybersecurity Infrastructure and Security Agency warns that threat actors are exploiting vulnerabilities in Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services.

The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid "Significant risk" from malicious cyber actors.

The National Cyber Security Center in Netherlands alerts that the vulnerability is being actively exploited and it can allow remote code execution with root privileges.

The Ukrainian Computer Emergency Response Team also published a warning about the risk of leaving Zabbix servers unpatched against the two vulnerabilities, especially CVE-2022-23131.

The two vulnerabilities were discovered by researchers from SonarSource, who published their findings in a technical report earlier this month, noting that exploiting CVE-2022-23131 is "Straightforward, especially since the Zabbix Web Frontend is automatically configured with a highly-privileged user named Admin."

CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog that represent a frequent attack vector and is asking federal agencies to install available patches by March 8.


News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-vulnerabilities-in-zabbix-servers/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-01-13 CVE-2022-23134 Improper Authentication vulnerability in multiple products
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.
network
low complexity
zabbix fedoraproject debian CWE-287
5.3
2022-01-13 CVE-2022-23131 Authentication Bypass by Spoofing vulnerability in Zabbix
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
network
low complexity
zabbix CWE-290
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zabbix 6 2 24 20 14 60