CVE-2013-3628
published 2020-02-07CVE-2013-3628: Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.46%
99.2th percentile
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zabbix | zabbix | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /zabbix/scripts.php with 'execute_on=1' and 'type=0' (Zabbix agent script execution on server), especially when followed shortly by a GET to scripts_exec.php?execute=1, as this is the exploit's two-step payload delivery pattern. ↗
- →Detect creation of a new Zabbix host via POST to /zabbix/hosts.php with interface IP hardcoded to 127.0.0.1 and port 10050, which is the exploit's technique to target the Zabbix server itself for local command execution. ↗
- →Alert on GET requests to scripts_exec.php with the parameter execute=1, which triggers actual OS command execution on the Zabbix server. This endpoint should rarely if ever be called with execute=1 in normal operations. ↗
- →Default credentials used by the exploit module are username 'Admin' and password 'zabbix'. Successful logins with these credentials followed by admin-level script/host creation activity should be treated as high-confidence compromise indicators. ↗
- ·The vulnerability requires valid Zabbix administrator credentials — it is an authenticated exploit. Detection should focus on post-authentication abuse of the script/host creation workflow rather than unauthenticated probes. ↗
- ·The exploit was confirmed against multiple Zabbix versions (2.0.5, 2.0.9, 3.0.1, 4.0.18, 5.0.17, 6.0.0), so version-based filtering alone is insufficient for detection or triage. ↗
- ·The default TARGETURI is '/zabbix/' but may vary per deployment. Detection rules using hardcoded paths should account for non-default installation directories. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Zabbix - (Authenticated) Remote Command Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3628 Zabbix - (Authenticated) Remote Command Execution (Metasploit)
Zabbix - (Authenticated) Remote Command Execution (Metasploit)
---
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Zabbix Authenticated Remote Command Execution',
'Description' => %q{
ZABBIX allows an administrator to create scripts that will be run on hosts.
An authenticated attacker can create a script containing a payload, then a host
with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.
This module was tested againt Zabbix v2.0.9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry ' # Discovery / msf module
],
'References' =>
[
['CVE', '2013-3628'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tric
Metasploit
Zabbix Authenticated Remote Command Execution
metasploit
Zabbix Authenticated Remote Command Execution
Zabbix Authenticated Remote Command Execution
ZABBIX allows an administrator to create scripts that will be run on hosts. An authenticated attacker can create a script containing a payload, then a host with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host. This module was tested against Zabbix v2.0.9, v2.0.5, v3.0.1, v4.0.18, v5.0.17, v6.0.0.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/29321http://www.securityfocus.com/bid/63453https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttp://www.exploit-db.com/exploits/29321http://www.securityfocus.com/bid/63453https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
2020-02-07
Published