Login Sign Up

CVE-2021-46088

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated Zabbix administrators to execute arbitrary shell commands on the Zabbix server, leading to full system compromise. It affects Zabbix monitoring systems running vulnerable versions, potentially exposing sensitive infrastructure data and allowing lateral movement.

💻 Affected Systems

Products:
  • Zabbix
Versions: 4.0 LTS, 4.2, 4.4, 5.0 LTS
Operating Systems: All platforms running Zabbix
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Zabbix Admin role privilege; default installations with admin users are vulnerable.

📦 What is this software?

Zabbix by Zabbix

View all CVEs affecting Zabbix →

Zabbix by Zabbix

View all CVEs affecting Zabbix →

Zabbix by Zabbix

View all CVEs affecting Zabbix →

Zabbix by Zabbix

View all CVEs affecting Zabbix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data exfiltration, ransomware deployment, and lateral movement across the network from compromised Zabbix server.

🟠

Likely Case

Attackers with stolen admin credentials or insider threats executing malicious scripts to steal monitoring data, install backdoors, or pivot to other systems.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though RCE still poses significant risk.

🌐 Internet-Facing: HIGH if Zabbix web interface is exposed to internet, as attackers can exploit with stolen credentials.
🏢 Internal Only: HIGH due to authenticated RCE capability that can be exploited by malicious insiders or attackers who've breached perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires valid admin credentials; public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Zabbix 5.0.18, 4.0.38, and later versions

Vendor Advisory: https://support.zabbix.com/browse/ZBX-20341

Restart Required: Yes

Instructions:

1. Backup Zabbix configuration and database. 2. Upgrade to patched version via package manager or manual installation. 3. Restart Zabbix server and frontend services. 4. Verify functionality.

🔧 Temporary Workarounds

Remove Admin Script Permissions

all

Temporarily disable ability for admin users to execute scripts via Zabbix interface

# Edit Zabbix frontend PHP files to remove script execution functionality
# Or modify user roles to remove 'Execute scripts' permission

Restrict Admin Access

all

Limit Zabbix admin accounts to only trusted personnel and implement MFA

# Review and reduce admin user count
# Implement IP whitelisting for admin access

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Zabbix server from critical systems
  • Enable detailed logging and monitoring for script execution activities

🔍 How to Verify

Check if Vulnerable:

Check Zabbix version via web interface (Administration → General → About) or command: zabbix_server --version

Check Version:

zabbix_server --version | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Confirm version is 5.0.18+, 4.0.38+, or later; test script execution functionality is properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Unusual script execution in Zabbix audit logs
  • Multiple failed login attempts followed by script execution
  • Commands executed from Zabbix server with zabbix user context

Network Indicators:

  • Unexpected outbound connections from Zabbix server
  • Traffic to suspicious IPs/domains originating from Zabbix host

SIEM Query:

source="zabbix_audit.log" AND (event="script.execute" OR command="*sh *" OR command="*bash*")

📊 Metadata

CVE ID: CVE-2021-46088
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: January 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON