CVE-2024-42327
Published: 27 November 2024
Summary
CVE-2024-42327 is a critical-severity SQL Injection (CWE-89) vulnerability in Zabbix Zabbix. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-42327 is a SQL injection vulnerability in the Zabbix frontend, specifically within the addRelatedObjects function of the CUser class that is invoked by the CUser.get API method. The flaw affects any deployment exposing the Zabbix API and resides in the core user-management component used by the frontend.
A non-administrator account holding the default User role or any other role that grants API access can invoke CUser.get to trigger the injection. Successful exploitation yields full read, write, and delete capabilities across the database, corresponding to the CVSS 9.9 rating that reflects network-accessible impact with low attack complexity and changed scope.
The sole reference points to the Zabbix support ticket ZBX-25623, which contains the official advisory and any associated remediation guidance for affected installations. The EPSS score has remained consistently high near 0.91 with no documented low-to-high trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39873
Vulnerability details
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is…
more
being called from the CUser.get function which is available for every user who has API access.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.