Cyber Resilience

CVE-2024-42327

Critical

Published: 27 November 2024

Published
27 November 2024
Modified
08 October 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9146 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42327 is a critical-severity SQL Injection (CWE-89) vulnerability in Zabbix Zabbix. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-42327 is a SQL injection vulnerability in the Zabbix frontend, specifically within the addRelatedObjects function of the CUser class that is invoked by the CUser.get API method. The flaw affects any deployment exposing the Zabbix API and resides in the core user-management component used by the frontend.

A non-administrator account holding the default User role or any other role that grants API access can invoke CUser.get to trigger the injection. Successful exploitation yields full read, write, and delete capabilities across the database, corresponding to the CVSS 9.9 rating that reflects network-accessible impact with low attack complexity and changed scope.

The sole reference points to the Zabbix support ticket ZBX-25623, which contains the official advisory and any associated remediation guidance for affected installations. The EPSS score has remained consistently high near 0.91 with no documented low-to-high trajectory after disclosure.

EU & UK References

Vulnerability details

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is…

more

being called from the CUser.get function which is available for every user who has API access.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zabbix
zabbix
6.0.0 — 6.0.32 · 6.4.0 — 6.4.17 · 7.0.0 — 7.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References