Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49643

CVE-2025-49643: Zabbix DOS Vulnerability via imgstore.php

CVE-2025-49643 is a denial of service flaw in Zabbix that lets authenticated users cause excessive CPU load via imgstore.php. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-49643 Overview

CVE-2025-49643 is a CPU Exhaustion Denial of Service vulnerability affecting Zabbix web servers. An authenticated Zabbix user, including those with Guest-level access, can cause disproportionate CPU load on the webserver by sending specially crafted parameters to the /imgstore.php endpoint. This resource exhaustion vulnerability can lead to potential denial of service conditions, impacting the availability of the Zabbix monitoring infrastructure.

Critical Impact

Authenticated users with minimal privileges (including Guest accounts) can exploit this vulnerability to exhaust CPU resources and cause denial of service on Zabbix web servers, potentially disrupting critical IT infrastructure monitoring capabilities.

Affected Products

  • Zabbix Web Server (specific versions affected - see vendor advisory ZBX-27284)
  • Zabbix installations with Guest access enabled
  • Zabbix environments exposed to adjacent network segments

Discovery Timeline

  • 2025-12-01 - CVE-2025-49643 published to NVD
  • 2025-12-01 - Last updated in NVD database

Technical Details for CVE-2025-49643

Vulnerability Analysis

This vulnerability is classified under CWE-405 (Asymmetric Resource Consumption - Amplification), which occurs when an attacker can trigger a disproportionate amount of resource consumption relative to the input provided. The vulnerability exists in the /imgstore.php endpoint of Zabbix web servers.

The CVSS 4.0 score is 6.0 (Medium) with the vector string: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/AU:X/R:X/V:X/RE:X/U:X

The attack requires adjacent network access and has low complexity, though some prerequisites must be met. The primary impact is on availability (High), with no impact on confidentiality or integrity.

The EPSS (Exploit Prediction Scoring System) probability is 0.021%, placing it in the 4.84th percentile, indicating a relatively low likelihood of exploitation in the wild.

Root Cause

The root cause of CVE-2025-49643 lies in improper handling of input parameters within the imgstore.php script. When specially crafted parameters are submitted to this endpoint, the server processes them in a manner that consumes disproportionate CPU resources compared to the minimal effort required by the attacker. This asymmetric resource consumption pattern is characteristic of CWE-405 vulnerabilities.

The lack of proper input validation, rate limiting, or resource consumption bounds on the imgstore functionality allows attackers to amplify their impact on server resources with minimal authenticated requests.

Attack Vector

The attack vector for this vulnerability is Adjacent Network, meaning the attacker must have access to the same network segment as the Zabbix server or be able to route traffic to it from an adjacent network. The key characteristics of the attack include:

  • Authentication Required: The attacker must have at least Guest-level authentication to the Zabbix instance
  • Low Complexity: Exploitation does not require specialized conditions or complex techniques
  • No User Interaction: The attack can be executed without any action from legitimate users
  • Availability Impact: Successful exploitation results in high availability impact through CPU exhaustion

The vulnerability manifests when an authenticated user sends specially crafted parameters to the /imgstore.php endpoint. The specific parameter manipulation triggers resource-intensive processing on the server side, causing CPU exhaustion. For detailed technical information about the exploitation mechanism, refer to the Zabbix support advisory at https://support.zabbix.com/browse/ZBX-27284.

Detection Methods for CVE-2025-49643

Indicators of Compromise

  • Unusual spike in CPU utilization on Zabbix web server processes
  • High volume of requests to /imgstore.php endpoint from authenticated sessions
  • Abnormal request patterns with atypical parameter values to the imgstore functionality
  • Web server logs showing repeated requests to imgstore.php with unusual query strings
  • Performance degradation or timeouts in Zabbix web interface

Detection Strategies

Organizations can implement the following detection strategies to identify potential exploitation attempts:

  1. Web Application Firewall (WAF) Rules: Configure WAF rules to monitor and alert on unusual request patterns to the /imgstore.php endpoint, particularly requests with abnormal parameter lengths or values.

  2. Log Analysis: Implement log monitoring to detect high-frequency access patterns to imgstore.php from individual authenticated sessions or user accounts.

  3. Resource Monitoring: Deploy CPU utilization alerts on Zabbix web server hosts to detect sudden spikes that may indicate active exploitation.

  4. Behavioral Analysis: Use SIEM solutions to correlate authentication events with subsequent imgstore requests, identifying potential abuse patterns from low-privilege accounts.

Monitoring Recommendations

Security teams should implement continuous monitoring for this vulnerability:

  • Enable detailed access logging for the Zabbix web interface, particularly for the imgstore endpoint
  • Configure alerting thresholds for CPU utilization on Zabbix web server processes
  • Monitor for Guest account activity and evaluate whether Guest access is necessary
  • Implement request rate monitoring per authenticated session
  • Review authentication logs for unusual patterns of Guest or low-privilege user access

How to Mitigate CVE-2025-49643

Immediate Actions Required

  • Review and apply security patches from Zabbix when available (reference advisory ZBX-27284)
  • Disable Guest access if not required for business operations
  • Implement rate limiting on the /imgstore.php endpoint at the web server or reverse proxy level
  • Restrict network access to Zabbix web interface to authorized networks only
  • Enable enhanced monitoring for CPU utilization and request patterns

Patch Information

For official patch information, refer to the Zabbix support advisory at: https://support.zabbix.com/browse/ZBX-27284

Organizations should monitor this advisory for updates and apply patches as soon as they become available. The vulnerability affects the imgstore functionality, and patches will likely address the improper resource consumption in parameter processing.

Workarounds

If immediate patching is not possible, organizations can implement the following workarounds to reduce risk:

  1. Disable Guest Access: Remove or disable Guest account access to the Zabbix frontend if it is not required for operations.

  2. Network Segmentation: Restrict access to the Zabbix web interface to trusted network segments only, reducing the adjacent network attack surface.

  3. Rate Limiting Configuration: Implement rate limiting at the web server or reverse proxy level to prevent abuse.

Example nginx rate limiting configuration:

nginx
# Rate limiting configuration for Zabbix imgstore endpoint
http {
    limit_req_zone $binary_remote_addr zone=imgstore:10m rate=10r/s;
    
    server {
        location /imgstore.php {
            limit_req zone=imgstore burst=20 nodelay;
            # existing imgstore configuration
        }
    }
}
  1. Access Control Review: Audit user accounts and remove unnecessary low-privilege accounts that could be leveraged for exploitation.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.