CVE-2022-23134
Published: 13 January 2022
Summary
CVE-2022-23134 is a low-severity Improper Access Control (CWE-284) vulnerability in Zabbix Zabbix. Its CVSS base score is 3.7 (Low).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2022-23134 is an improper access control vulnerability in the Zabbix Frontend component. After the initial setup process completes, certain steps within the setup.php file remain reachable by unauthenticated users instead of being limited to super-administrators, due to insufficient enforcement of authentication and authorization checks as indicated by the associated CWEs.
An unauthenticated remote attacker can exploit the flaw by bypassing step validation in setup.php and thereby modify the Zabbix Frontend configuration. The vulnerability carries a CVSS 3.1 base score of 3.7 reflecting the high attack complexity required despite the absence of required credentials.
Security advisories published by Debian, Fedora, and Zabbix reference patches and updated packages that restrict access to the affected setup steps. Organizations are advised to apply the fixes listed in the Zabbix support tracker and corresponding distribution announcements to restore proper access controls.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28225
Vulnerability details
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
- CWE(s)
- KEV Date Added
- 22 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that post-setup steps in setup.php remain restricted to super-administrators and are unreachable by unauthenticated users.
Requires successful identification and authentication before any access to configuration-changing setup functions is granted.
Ensures that even authenticated sessions receive only the minimal privileges needed, limiting the blast radius if setup endpoints are inadvertently exposed.