cbcvebase.
CVE-2017-2824
published 2017-05-24

CVE-2017-2824: An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a…

PriorityP261high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
26.10%
97.7th percentile
An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

Affected

20 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:3.0.7+dfsg-3 (bookworm)zabbix 1:3.0.7+dfsg-3 (bookworm)
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix>= 0 < 1:3.0.7+dfsg-31:3.0.7+dfsg-3
zabbixzabbix>= 0 < 1:3.0.7+dfsg-31:3.0.7+dfsg-3
zabbixzabbix>= 0 < 1:3.0.7+dfsg-31:3.0.7+dfsg-3
zabbixzabbix>= 0 < 1:3.0.7+dfsg-31:3.0.7+dfsg-3
zabbixzabbix>= 0 < 1:2.2.2+dfsg-1ubuntu1+esm41:2.2.2+dfsg-1ubuntu1+esm4
zabbixzabbix>= 0 < 1:2.4.7+dfsg-2ubuntu2.1+esm31:2.4.7+dfsg-2ubuntu2.1+esm3
zabbixzabbix>= 0 < 1:3.0.12+dfsg-1ubuntu0.1~esm31:3.0.12+dfsg-1ubuntu0.1~esm3
zabbixzabbix>= 0 < 1:4.0.17+dfsg-1ubuntu0.1~esm11:4.0.17+dfsg-1ubuntu0.1~esm1
zabbixzabbix_server

Detection & IOCsextracted from sources · hover to see the quote

snort
42326
snort
42337
  • Monitor for command injection attempts in Zabbix 'discovery' requests sent from active Zabbix Proxy to Zabbix Server trapper API — attacker inserts arbitrary commands into the Zabbix database via this vector.
  • Detect two-stage exploitation: first a crafted 'discovery' request inserts a malicious command record into the DB, then a follow-up request triggers execution of that record — look for anomalous trapper packets from proxy-sourced connections.
  • Restrict or alert on connections to the Zabbix Server trapper port from hosts not in the authorized Zabbix Proxy allowlist — exploitation requires requests originating from an active Zabbix Proxy.
  • ·Vulnerability is exploitable only against Zabbix Server 2.4.X (specifically confirmed 2.4.7–2.4.8r1); detection rules and mitigations should be scoped to these versions.
  • ·Snort rules 42326 and 42337 may be updated over time; always pull the latest rule definitions from Defense Center or Snort.org rather than relying on static copies.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.