CVE-2022-23131
Published: 13 January 2022
Summary
CVE-2022-23131 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Zabbix Zabbix. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2022-23131 affects the Zabbix Frontend in cases where SAML SSO authentication is enabled, a non-default configuration. The flaw stems from insufficient verification of the user login value stored in session data, which allows modification by an attacker and is tracked under CWE-290.
An unauthenticated remote attacker who knows a valid Zabbix username, or who can leverage the disabled-by-default guest account, can exploit the issue to modify session data, escalate privileges, and obtain administrative access to the frontend. The vulnerability carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and no required privileges or user interaction.
Zabbix support references ZBX-20350 and the CISA Known Exploited Vulnerabilities catalog document the issue and list it among vulnerabilities observed in active exploitation, indicating that organizations should apply available patches or configuration changes to disable SAML SSO when not required.
The EPSS score has reached a peak of 0.9736 with a current value of 0.9405, confirming sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28222
Vulnerability details
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue…
more
to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
- CWE(s)
- KEV Date Added
- 22 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection of session authenticity, which would have prevented the unauthenticated modification of the SAML-derived username stored in session data.
Mandates enforcement of access-control decisions; the missing username verification allowed the attacker to bypass the authorization check and obtain admin rights.
Requires reliable identification and authentication of users; the flaw effectively nullified the SAML authentication result by allowing subsequent session tampering.