CVE-2023-32725
📋 TL;DR
This vulnerability in Zabbix allows session cookie leakage through URL widgets. When testing or executing scheduled reports, the configured website receives the user's session cookie, enabling attackers to hijack sessions and access the frontend as that user. All Zabbix users with URL widget access are affected.
💻 Affected Systems
- Zabbix
📦 What is this software?
Frontend by Zabbix
Frontend by Zabbix
Frontend by Zabbix
Frontend by Zabbix
Frontend by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Full administrative account takeover leading to complete system compromise, data exfiltration, and lateral movement across the network.
Likely Case
Session hijacking allowing unauthorized access to monitoring data, configuration changes, and potential privilege escalation.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still represents authentication bypass risk.
🎯 Exploit Status
Exploitation requires ability to configure URL widgets or access to scheduled reports, but the actual cookie theft is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.22, 6.2.11, 6.4.6, 7.0.0beta1
Vendor Advisory: https://support.zabbix.com/browse/ZBX-23854
Restart Required: Yes
Instructions:
1. Backup your Zabbix database and configuration. 2. Download the patched version from Zabbix website. 3. Follow Zabbix upgrade documentation for your specific version. 4. Restart Zabbix server and frontend services.
🔧 Temporary Workarounds
Disable URL Widgets
allRemove or disable URL widgets from dashboards and scheduled reports
# Remove URL widgets via Zabbix frontend or database
Restrict URL Widget Access
allLimit URL widget configuration to trusted administrators only
# Configure Zabbix user permissions to restrict URL widget access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zabbix from untrusted networks
- Enable detailed logging and monitoring for URL widget activities and session anomalies
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version via frontend or database: SELECT * FROM dbversionCheck Version:
grep ZABBIX_VERSION /usr/share/zabbix/include/defines.inc.phpVerify Fix Applied:
Verify version is patched and test URL widget functionality with monitoring tools📡 Detection & Monitoring
Log Indicators:
- Unusual URL widget configurations
- Multiple session creations from different IPs for same user
- Failed authentication attempts followed by successful access
Network Indicators:
- HTTP requests to external URLs containing session cookies
- Unusual outbound connections from Zabbix server
SIEM Query:
source="zabbix" AND (event="URL widget" OR event="session") AND (url="*http*" OR url="*cookie*")