CVE-2025-27237 Overview
CVE-2025-27237 affects Zabbix Agent and Agent 2 on Windows. The agents load the OpenSSL configuration file from a directory writable by low-privileged users. An attacker with local access can modify this configuration file to load an attacker-controlled Dynamic Link Library (DLL). The injected DLL executes in the security context of the Zabbix Agent service, which typically runs with elevated privileges. This results in local privilege escalation on affected Windows hosts. The vulnerability is classified under [CWE-427] Uncontrolled Search Path Element.
Critical Impact
Local attackers can escalate privileges to the Zabbix Agent service account by planting a malicious OpenSSL configuration that loads an arbitrary DLL.
Affected Products
- Zabbix Agent on Windows
- Zabbix Agent 2 on Windows
- Windows deployments relying on the default OpenSSL configuration path
Discovery Timeline
- 2025-10-03 - CVE-2025-27237 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-27237
Vulnerability Analysis
The Zabbix Agent and Agent 2 binaries on Windows link against OpenSSL for cryptographic operations. On startup, OpenSSL reads its configuration file (openssl.cnf) from a path resolved at runtime. In the affected Zabbix Windows builds, this path resides in a directory where standard users hold write permissions. A low-privileged local user can replace or modify the configuration file before the agent service starts or restarts.
The OpenSSL configuration format supports dynamic engine and provider loading directives. An attacker can specify a dynamic_path entry that points to an arbitrary DLL on disk. When the Zabbix Agent service initializes OpenSSL, the library parses the configuration and loads the referenced DLL into the agent process. Because the Zabbix Agent service typically runs as LocalSystem or another privileged account, the DLL inherits that privilege level.
Root Cause
The root cause is an insecure search path for a sensitive configuration file. The Windows installation places openssl.cnf in a location where Access Control Lists (ACLs) permit write access by non-administrative users. This combines an uncontrolled search path weakness with insecure default permissions.
Attack Vector
Exploitation requires local access and any authenticated user context on the target host. The attacker writes a crafted openssl.cnf containing OpenSSL engine or provider directives. The file references a DLL the attacker has staged in a readable location. The next time the Zabbix Agent service starts, restarts, or reloads its configuration, OpenSSL loads the malicious DLL. Code in the DLL DllMain entry point executes with the privileges of the agent service.
No verified public proof-of-concept code is available. Technical details are tracked in the Zabbix Issue Tracking Ticket ZBX-27061.
Detection Methods for CVE-2025-27237
Indicators of Compromise
- Unexpected modifications to openssl.cnf within the Zabbix Agent installation directory or any OpenSSL configuration path queried by the agent.
- Presence of engines or providers sections in openssl.cnf referencing DLLs in user-writable locations such as C:\Users\Public or temporary directories.
- Unsigned or unexpected DLLs loaded by zabbix_agentd.exe or zabbix_agent2.exe processes.
Detection Strategies
- Monitor file integrity on the OpenSSL configuration file and the Zabbix Agent installation directory for write events from non-administrative accounts.
- Enumerate DLLs loaded by Zabbix Agent processes and alert on modules outside trusted directories or without valid signatures.
- Audit ACLs on the Zabbix Agent installation path and report any non-default write permissions granted to standard users or groups such as Authenticated Users.
Monitoring Recommendations
- Enable Windows Sysmon Event ID 7 (Image Loaded) for Zabbix Agent processes and forward logs to a centralized analytics platform.
- Track service restart events (Event ID 7036) for the Zabbix Agent service and correlate with prior file writes to openssl.cnf.
- Review process creation events for child processes spawned by the Zabbix Agent that deviate from baseline behavior.
How to Mitigate CVE-2025-27237
Immediate Actions Required
- Apply the Zabbix security update referenced in ZBX-27061 once available for your deployment branch.
- Restrict write permissions on the Zabbix Agent installation directory and the OpenSSL configuration file to administrators only.
- Inventory Windows hosts running Zabbix Agent or Agent 2 and prioritize patching systems exposed to multiple interactive users.
Patch Information
Zabbix tracks remediation under issue ZBX-27061. Review the ticket for fixed version numbers corresponding to your installed branch and upgrade to a build that hardens the OpenSSL configuration search path or relocates openssl.cnf to a directory restricted to administrators.
Workarounds
- Manually adjust the ACL on the OpenSSL configuration file path so that only SYSTEM and Administrators retain write access.
- Set the OPENSSL_CONF environment variable for the Zabbix Agent service to point to a configuration file stored in a protected directory.
- Remove unnecessary OpenSSL engine and provider DLLs from any user-writable directory referenced by the agent process.
# Example: restrict ACLs on the Zabbix Agent installation directory
icacls "C:\Program Files\Zabbix Agent" /inheritance:r
icacls "C:\Program Files\Zabbix Agent" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
