Cyber Resilience

CVE-2022-23131

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 13 January 2022

Published
13 January 2022
Modified
30 October 2025
KEV Added
22 February 2022
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9405 99.9th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23131 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Zabbix Zabbix. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2022-23131 affects the Zabbix Frontend in cases where SAML SSO authentication is enabled, a non-default configuration. The flaw stems from insufficient verification of the user login value stored in session data, which allows modification by an attacker and is tracked under CWE-290.

An unauthenticated remote attacker who knows a valid Zabbix username, or who can leverage the disabled-by-default guest account, can exploit the issue to modify session data, escalate privileges, and obtain administrative access to the frontend. The vulnerability carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction.

Zabbix support references ZBX-20350 and the CISA Known Exploited Vulnerabilities catalog document the issue and list it among vulnerabilities observed in active exploitation, indicating that organizations should apply available patches or configuration changes to disable SAML SSO when not required.

The EPSS score has reached a peak of 0.9736 with a current value of 0.9405, confirming sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue…

more

to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

CWE(s)
KEV Date Added
22 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zabbix
zabbix
6.0.0 · 5.4.0 — 5.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of session authenticity, which would have prevented the unauthenticated modification of the SAML-derived username stored in session data.

prevent

Mandates enforcement of access-control decisions; the missing username verification allowed the attacker to bypass the authorization check and obtain admin rights.

prevent

Requires reliable identification and authentication of users; the flaw effectively nullified the SAML authentication result by allowing subsequent session tampering.

References