CVE-2024-42327 Overview
CVE-2024-42327 is a critical SQL Injection vulnerability affecting the Zabbix monitoring platform. A non-admin user account on the Zabbix frontend with the default User role, or with any other role that provides API access, can exploit this vulnerability. The SQL injection exists in the CUser class within the addRelatedObjects function, which is called from the CUser.get function available to every user with API access.
Critical Impact
This vulnerability allows authenticated users with minimal privileges to execute arbitrary SQL queries against the Zabbix database, potentially leading to complete database compromise, data exfiltration, and unauthorized access to sensitive monitoring data across the entire infrastructure.
Affected Products
- Zabbix Zabbix (multiple versions)
Discovery Timeline
- 2024-11-27 - CVE-2024-42327 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2024-42327
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) represents a significant security flaw in the Zabbix frontend's user management API. The vulnerability exists within the CUser class, specifically in the addRelatedObjects function. This function is invoked by CUser.get, a method that is accessible to any authenticated user with API access—including those with only the default User role.
The critical nature of this vulnerability stems from the fact that it requires only low-privilege authentication to exploit, yet can impact resources beyond the vulnerable component's scope. An attacker can manipulate SQL queries through the API to extract sensitive data, modify database contents, or potentially escalate privileges within the Zabbix environment.
Root Cause
The root cause of this vulnerability is improper input validation and insufficient sanitization of user-supplied data within the addRelatedObjects function in the CUser class. When the CUser.get API method processes requests, it passes user-controlled parameters to addRelatedObjects without adequate escaping or parameterized query construction, allowing malicious SQL code to be injected and executed against the underlying database.
Attack Vector
The attack vector is network-based, requiring an authenticated user with API access to the Zabbix frontend. The attacker crafts malicious API requests to the CUser.get endpoint, embedding SQL injection payloads that are processed by the vulnerable addRelatedObjects function. Since the default User role includes API access, any authenticated user can potentially exploit this vulnerability without requiring administrative privileges.
The exploitation path involves:
- Authenticating to the Zabbix frontend with a low-privilege account
- Crafting malicious API requests targeting the CUser.get method
- Injecting SQL payloads through parameters processed by addRelatedObjects
- Extracting data, modifying records, or escalating privileges through SQL manipulation
Detection Methods for CVE-2024-42327
Indicators of Compromise
- Unusual or malformed API requests to the CUser.get endpoint containing SQL syntax characters (single quotes, UNION statements, comment sequences)
- Database query logs showing unexpected SQL patterns or syntax errors originating from the Zabbix application
- Anomalous database activity such as bulk data extraction or unauthorized table access from the Zabbix service account
- Failed or successful authentication attempts followed by immediate API calls to user-related endpoints
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in API requests to the Zabbix frontend
- Enable detailed logging for all API calls to the CUser.get endpoint and monitor for suspicious parameter values
- Configure database audit logging to capture all queries executed by the Zabbix application user, with alerts for anomalous query patterns
- Deploy intrusion detection systems (IDS) with signatures targeting SQL injection attack patterns in HTTP POST data
Monitoring Recommendations
- Monitor Zabbix application logs for API access patterns, particularly focusing on the user management endpoints
- Set up alerts for database query failures or syntax errors that may indicate attempted SQL injection
- Track API usage patterns per user account to identify anomalous behavior from low-privilege accounts
- Review database connection logs for unusual query volumes or data access patterns from the Zabbix application
How to Mitigate CVE-2024-42327
Immediate Actions Required
- Review and restrict API access permissions, removing API access from user roles that do not require it
- Implement network-level access controls to limit Zabbix frontend and API exposure to trusted networks only
- Enable comprehensive logging for all API endpoints and establish monitoring for suspicious activity
- Apply the security patch as soon as available from Zabbix
Patch Information
Zabbix has acknowledged this vulnerability through their support tracking system. Administrators should consult the Zabbix Support Issue ZBX-25623 for detailed patch information, affected version specifics, and remediation guidance. It is critical to apply vendor-provided patches immediately given the severity of this vulnerability and the high likelihood of exploitation as indicated by the EPSS data.
Workarounds
- Temporarily disable API access for all non-essential user accounts until patching is complete
- Implement strict network segmentation to isolate the Zabbix frontend from untrusted network segments
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules in front of the Zabbix frontend
- Review and audit all user accounts with API access, removing unnecessary permissions and disabling inactive accounts
# Example: Restrict API access via Zabbix user role configuration
# Navigate to Administration -> User roles in the Zabbix UI
# For non-administrative roles, disable "API access" permission
# This limits the attack surface while awaiting patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
