cbcvebase.
CVE-2016-10134
published 2017-02-17

CVE-2016-10134: SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.28%
99.6th percentile
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:3.0.4+dfsg-1 (bookworm)zabbix 1:3.0.4+dfsg-1 (bookworm)
zabbixzabbix<= 2.2.13
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix>= 0 < 1:3.0.4+dfsg-11:3.0.4+dfsg-1
zabbixzabbix>= 0 < 1:3.0.4+dfsg-11:3.0.4+dfsg-1
zabbixzabbix>= 0 < 1:3.0.4+dfsg-11:3.0.4+dfsg-1
zabbixzabbix>= 0 < 1:3.0.4+dfsg-11:3.0.4+dfsg-1
zabbixzabbix>= 0 < 1:2.2.2+dfsg-1ubuntu1+esm41:2.2.2+dfsg-1ubuntu1+esm4
zabbixzabbix>= 0 < 1:2.4.7+dfsg-2ubuntu2.1+esm31:2.4.7+dfsg-2ubuntu2.1+esm3
zabbixzabbix>= 0 < 1:3.0.12+dfsg-1ubuntu0.1~esm31:3.0.12+dfsg-1ubuntu0.1~esm3
zabbixzabbix>= 0 < 1:4.0.17+dfsg-1ubuntu0.1~esm11:4.0.17+dfsg-1ubuntu0.1~esm1

Detection & IOCsextracted from sources · hover to see the quote

url/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)::
path/jsrpc.php
  • Exploit payload uses updatexml() with concat() to trigger error-based SQL injection via the profileIdx2 parameter in jsrpc.php
  • Shodan query to identify exposed Zabbix instances by favicon hash
  • Shodan query to identify exposed Zabbix server instances by title
  • Metasploit auxiliary module exploits the toggle_ids SQL injection to extract usernames and password hashes from the Zabbix database to a JSON file
  • ·Vulnerability affects Zabbix versions before 2.2.14 and 3.0.x before 3.0.4; the jsrpc.php attack vector targets the profileIdx2 parameter specifically
  • ·Metasploit module targets Zabbix 3.0.3 specifically but likely affects prior versions as well

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.