CVE-2025-27236
📋 TL;DR
A Zabbix API vulnerability allows authenticated users to search other users in their group and access restricted field values they shouldn't have permission to view. This enables data mining of sensitive user information. All Zabbix installations with regular users are affected.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map all user accounts, gather email addresses, phone numbers, and other personal information for targeted phishing or credential attacks.
Likely Case
Internal users could enumerate colleague information, potentially violating privacy policies and gathering data for social engineering.
If Mitigated
Limited exposure of non-critical user metadata with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated API access. Simple API calls can enumerate user data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.35, 7.0.0beta3
Vendor Advisory: https://support.zabbix.com/browse/ZBX-27060
Restart Required: Yes
Instructions:
1. Backup your Zabbix database and configuration. 2. Upgrade to Zabbix 6.0.35 or 7.0.0beta3. 3. Restart Zabbix server and frontend services. 4. Verify the fix by testing user search functionality.
🔧 Temporary Workarounds
Restrict API Access
allLimit API access to only necessary users and implement API rate limiting.
# Configure in Zabbix frontend: Administration -> User roles -> API access
Monitor API Activity
allEnable detailed API logging and monitor for unusual user search patterns.
# In zabbix_server.conf: DebugLevel=4
# Enable audit logging in frontend
🧯 If You Can't Patch
- Implement strict API access controls and limit user permissions to minimum required
- Enable comprehensive API logging and monitor for suspicious user enumeration activities
🔍 How to Verify
Check if Vulnerable:
Authenticate as regular user and use user.get API call with extended output fields to see if you can access restricted user information.Check Version:
zabbix_server --version | grep "Zabbix server"Verify Fix Applied:
After patching, attempt the same API call - restricted fields should return empty or error.📡 Detection & Monitoring
Log Indicators:
- Multiple user.get API calls from same user in short timeframe
- API calls requesting extended user fields
Network Indicators:
- Unusual volume of API requests to user endpoints
SIEM Query:
source="zabbix" AND "user.get" AND ("selectFields" OR "output")