cbcvebase.
CVE-2013-3628
published 2020-02-07

CVE-2013-3628: Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability

PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.46%
99.2th percentile
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability

Affected

1 ranges
VendorProductVersion rangeFixed in
zabbixzabbix

Detection & IOCsextracted from sources · hover to see the quote

url/zabbix/index.php
url/zabbix/dashboard.php
url/zabbix/scripts.php
url/zabbix/hosts.php
url/zabbix/scripts_exec.php?execute=1&hostid=&scriptid=&sid=
  • Monitor for POST requests to /zabbix/scripts.php with 'execute_on=1' and 'type=0' (Zabbix agent script execution on server), especially when followed shortly by a GET to scripts_exec.php?execute=1, as this is the exploit's two-step payload delivery pattern.
  • Detect creation of a new Zabbix host via POST to /zabbix/hosts.php with interface IP hardcoded to 127.0.0.1 and port 10050, which is the exploit's technique to target the Zabbix server itself for local command execution.
  • Alert on GET requests to scripts_exec.php with the parameter execute=1, which triggers actual OS command execution on the Zabbix server. This endpoint should rarely if ever be called with execute=1 in normal operations.
  • Default credentials used by the exploit module are username 'Admin' and password 'zabbix'. Successful logins with these credentials followed by admin-level script/host creation activity should be treated as high-confidence compromise indicators.
  • ·The vulnerability requires valid Zabbix administrator credentials — it is an authenticated exploit. Detection should focus on post-authentication abuse of the script/host creation workflow rather than unauthenticated probes.
  • ·The exploit was confirmed against multiple Zabbix versions (2.0.5, 2.0.9, 3.0.1, 4.0.18, 5.0.17, 6.0.0), so version-based filtering alone is insufficient for detection or triage.
  • ·The default TARGETURI is '/zabbix/' but may vary per deployment. Detection rules using hardcoded paths should account for non-default installation directories.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.