CVE-2024-22122 Overview
CVE-2024-22122 is an AT command injection vulnerability in Zabbix Server affecting the SMS notification feature. The Number field used to configure SMS recipients is not validated on either the web frontend or the Zabbix server. An authenticated attacker with high privileges can supply a crafted phone number when testing SMS delivery. The crafted input is passed to the attached modem and interpreted as additional AT commands. This results in arbitrary command execution against the modem hardware and full compromise of monitoring confidentiality, integrity, and availability.
Critical Impact
Attackers can inject arbitrary AT commands into a modem connected to Zabbix Server through the SMS test workflow, enabling control over the SMS gateway and downstream telecom abuse.
Affected Products
- Zabbix 5.0.0 through 5.0.42
- Zabbix 6.0.0 through 6.0.28
- Zabbix 6.4.0 through 6.4.13
- Zabbix 7.0.0 alpha1 through 7.0.0 rc2
Discovery Timeline
- 2024-08-12 - CVE-2024-22122 published to NVD
- 2024-10 - Debian LTS advisory released
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-22122
Vulnerability Analysis
Zabbix supports SMS notifications by sending commands to a serial-attached GSM modem using the AT command set. Administrators configure recipient phone numbers in the frontend, and Zabbix Server forwards the values to the modem during the SMS test workflow and during normal alert delivery. The Number field accepts arbitrary input without sanitization for control characters, including carriage returns that delimit AT commands. An attacker who controls the field value can append further AT commands that the modem processes sequentially.
The weakness is classified as Improper Neutralization of Special Elements used in a Command [CWE-77]. Exploitation requires authenticated access with privileges to configure media types or run SMS tests, but no user interaction is needed. The scope changes because the injected commands run against a separate component, the modem, rather than the vulnerable Zabbix process itself.
Root Cause
The Zabbix frontend and server both accept the Number field without enforcing a strict numeric or E.164 pattern. The value is concatenated into the AT command stream issued to the modem device. Any carriage-return-delimited payload appended to a legitimate phone number is treated by the modem as a new command.
Attack Vector
The attack is launched over the network through the Zabbix web interface. An authenticated user navigates to the SMS media type configuration, supplies a malicious recipient string, and triggers the test SMS function. The Zabbix server forwards the data to the modem, which executes the injected AT instructions. Possible outcomes include sending unauthorized SMS messages, dialing premium numbers, disabling the modem, reading stored SMS, or interacting with the SIM file system.
No verified public proof-of-concept code is published for this vulnerability. Refer to the Zabbix Issue Tracker Entry ZBX-25012 for vendor technical detail.
Detection Methods for CVE-2024-22122
Indicators of Compromise
- Unexpected AT command sequences in modem serial logs, particularly commands following carriage returns in the Number parameter.
- Outbound SMS messages or voice calls originated by the Zabbix host that do not correspond to configured alerts.
- Audit log entries showing edits to SMS media types or repeated SMS test executions from non-administrative accounts.
Detection Strategies
- Review Zabbix audit logs for mediatype.test actions and changes to media type configuration objects.
- Inspect the Number field of all configured SMS recipients for non-numeric characters, semicolons, or AT command keywords such as ATD, AT+CMGS, or AT+CPIN.
- Correlate modem dmesg or /var/log serial communications with Zabbix server process activity to identify injected commands.
Monitoring Recommendations
- Forward Zabbix frontend and server logs to a centralized SIEM and alert on SMS test invocations.
- Monitor telecom billing records for unexpected SMS volume or premium-rate destinations.
- Track the integrity of SMS media type configuration with file or database change auditing.
How to Mitigate CVE-2024-22122
Immediate Actions Required
- Upgrade Zabbix to a fixed release: 5.0.43, 6.0.29, 6.4.14, or 7.0.0 or later as published in ZBX-25012.
- Restrict the set of accounts that hold permissions to configure media types or execute SMS tests.
- Audit existing SMS media type configurations and remove any recipient entries containing non-numeric characters.
Patch Information
Zabbix has released fixed builds tracked in the issue ZBX-25012. Debian users should apply the package updates described in the Debian LTS Announcement. Confirm the running Zabbix server and frontend versions match the patched release after upgrading.
Workarounds
- Disable the SMS media type if upgrading immediately is not possible.
- Physically disconnect the GSM modem from the Zabbix server until patches are applied.
- Limit administrative role assignments and require multi-factor authentication on accounts that retain media configuration rights.
# Verify the installed Zabbix server version against the fixed release
zabbix_server -V
# Example Debian package upgrade path
sudo apt update
sudo apt install --only-upgrade zabbix-server-mysql zabbix-frontend-php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
