CVE-2025-27232 – An authenticated Zabbix Super Admin can exploit... (How to Fix)

Q: What is the severity of CVE-2025-27232?

CVE-2025-27232 has a CVSS score of 4.9 (MEDIUM). An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver, potentially exposing sensitive configuration files, credentials, or other confidential data. This affects Zabbix installations where Super Admin accounts exist and have access to the vulnerable endpoint.

📋 TL;DR

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver, potentially exposing sensitive configuration files, credentials, or other confidential data. This affects Zabbix installations where Super Admin accounts exist and have access to the vulnerable endpoint.

💻 Affected Systems

Products:

Zabbix

Versions: Specific versions not detailed in reference; check Zabbix advisory for exact range.

Operating Systems: All OS where Zabbix is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Requires an authenticated Super Admin account; default Zabbix installations include Super Admin accounts.

📦 What is this software?

Frontend by Zabbix

View all CVEs affecting Frontend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Super Admin reads sensitive files like configuration files containing database credentials, API keys, or other secrets, leading to full system compromise.

🟠

Likely Case

Super Admin reads web server configuration files or application files to gather information for further attacks.

🟢

If Mitigated

Limited impact due to restricted Super Admin accounts and proper file permissions on the server.

🌐 Internet-Facing: MEDIUM - If the Zabbix web interface is exposed to the internet, authenticated Super Admins could exploit this remotely.

🏢 Internal Only: MEDIUM - Internal Super Admins with malicious intent or compromised credentials could exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Exploitation involves authenticated API calls to the vulnerable endpoint.

Exploitation requires Super Admin privileges; no public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Zabbix advisory ZBX-27282 for specific patched versions.

Vendor Advisory: https://support.zabbix.com/browse/ZBX-27282

Restart Required: Yes

Instructions:

1. Review Zabbix advisory ZBX-27282. 2. Upgrade Zabbix to the patched version. 3. Restart Zabbix server and web services.

🔧 Temporary Workarounds

Restrict Super Admin Access

all

Limit the number of Super Admin accounts and enforce strong authentication.

File System Permissions

linux

Set strict file permissions on sensitive directories to prevent reading by the web server user.

chmod 600 /path/to/sensitive/files
chown root:root /path/to/sensitive/files

🧯 If You Can't Patch

Monitor and audit Super Admin account activity for suspicious file access attempts.
Implement network segmentation to isolate Zabbix servers from sensitive systems.

🔍 How to Verify

Check if Vulnerable:

Check if your Zabbix version is within the affected range listed in advisory ZBX-27282.

Check Version:

zabbix_server --version

Verify Fix Applied:

Verify Zabbix version is updated to the patched version and test the oauth.authorize action for file reading.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Zabbix web server logs, especially to oauth.authorize endpoint.

Network Indicators:

HTTP requests to /oauth.authorize with file paths in parameters.

SIEM Query:

source="zabbix_web.log" AND uri="/oauth.authorize" AND (param CONTAINS "file" OR param CONTAINS "path")

📊 Metadata

CVE ID: CVE-2025-27232

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

EPSS Score: 0.03% exploit probability (9.2th percentile)

Published: December 1, 2025

Last Updated: February 6, 2026

🔗 References

https://support.zabbix.com/browse/ZBX-27282 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27232, you might also want to check these: