Cyber Resilience

CVE-2022-23134

LowCISA KEVActive ExploitationEUVD Exploited

Published: 13 January 2022

Published
13 January 2022
Modified
30 October 2025
KEV Added
22 February 2022
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.9261 99.8th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23134 is a low-severity Improper Access Control (CWE-284) vulnerability in Zabbix Zabbix. Its CVSS base score is 3.7 (Low).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2022-23134 is an improper access control vulnerability in the Zabbix Frontend component. After the initial setup process completes, certain steps within the setup.php file remain reachable by unauthenticated users instead of being limited to super-administrators, due to insufficient enforcement of authentication and authorization checks as indicated by the associated CWEs.

An unauthenticated remote attacker can exploit the flaw by bypassing step validation in setup.php and thereby modify the Zabbix Frontend configuration. The vulnerability carries a CVSS 3.1 base score of 3.7 reflecting the high attack complexity required despite the absence of required credentials.

Security advisories published by Debian, Fedora, and Zabbix reference patches and updated packages that restrict access to the affected setup steps. Organizations are advised to apply the fixes listed in the Zabbix support tracker and corresponding distribution announcements to restore proper access controls.

EU & UK References

Vulnerability details

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

CWE(s)
KEV Date Added
22 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zabbix
zabbix
6.0.0 · 5.4.0 — 5.4.8
fedoraproject
fedora
34, 35
debian
debian linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that post-setup steps in setup.php remain restricted to super-administrators and are unreachable by unauthenticated users.

prevent

Requires successful identification and authentication before any access to configuration-changing setup functions is granted.

prevent

Ensures that even authenticated sessions receive only the minimal privileges needed, limiting the blast radius if setup endpoints are inadvertently exposed.

References