CVE-2024-33668 – This vulnerability in Zammad allows attackers t... (How to Fix)

Q: What is the severity of CVE-2024-33668?

CVE-2024-33668 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Zammad allows attackers to brute-force guessable FormIDs used in the upload cache, enabling them to inject malicious content into article drafts they shouldn't have access to. All Zammad instances before version 6.3.0 are affected, potentially compromising data integrity and enabling further attacks.

📋 TL;DR

This vulnerability in Zammad allows attackers to brute-force guessable FormIDs used in the upload cache, enabling them to inject malicious content into article drafts they shouldn't have access to. All Zammad instances before version 6.3.0 are affected, potentially compromising data integrity and enabling further attacks.

💻 Affected Systems

Products:

Zammad

Versions: All versions before 6.3.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All Zammad deployments using the default upload cache configuration are vulnerable.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers inject malicious content into sensitive article drafts, leading to data corruption, privilege escalation, or cross-site scripting attacks against administrators viewing those drafts.

🟠

Likely Case

Unauthorized content injection into article drafts, potentially disrupting business operations or enabling social engineering attacks through manipulated content.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though the vulnerability still exists in the upload cache mechanism.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some authentication but uses brute-force techniques against guessable identifiers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.0

Vendor Advisory: https://zammad.com/en/advisories/zaa-2024-02

Restart Required: Yes

Instructions:

1. Backup your Zammad instance and database. 2. Update to Zammad 6.3.0 or later using your deployment method (package manager, Docker, manual). 3. Restart the Zammad service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Upload Cache Access

all

Implement network-level restrictions to limit access to the upload cache endpoints to authorized users only.

🧯 If You Can't Patch

Implement strict rate limiting on upload cache endpoints to prevent brute-force attacks.
Monitor logs for unusual upload cache access patterns and investigate any suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check your Zammad version via the web interface (Admin → System → Version) or command line: `zammad version`

Check Version:

zammad version

Verify Fix Applied:

Confirm version is 6.3.0 or higher and test that upload cache FormIDs are no longer guessable or predictable.

📡 Detection & Monitoring

Log Indicators:

Multiple failed attempts to access upload cache endpoints with different FormIDs
Unusual upload patterns to article drafts

Network Indicators:

High volume of requests to upload cache endpoints from single sources

SIEM Query:

source="zammad" AND (uri_path="/api/v1/upload_cache" OR uri_path CONTAINS "upload") AND status_code=200 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-33668

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-639

Published: April 26, 2024

Last Updated: April 15, 2025

🔗 References

https://zammad.com/en/advisories/zaa-2024-02 Vendor Advisory
https://zammad.com/en/advisories/zaa-2024-02 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33668, you might also want to check these: