cbcvebase.
CVE-2022-23131
published 2022-01-13

CVE-2022-23131: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-03-08
Exploited in the wild
EPSS
95.68%
99.9th percentile
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

Affected

4 ranges
VendorProductVersion rangeFixed in
debianzabbix
zabbixfrontend
zabbixzabbix
zabbixzabbix5.4.0 – 5.4.8

Detection & IOCsextracted from sources · hover to see the quote

path/index_sso.php
path/zabbix/index_sso.php
cookiezbx_session=eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiIiwic2lnbiI6IiJ9
cookiezbx_session=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
bytes
InVzZXJuYW1lX2F0dHJpYnV0ZSI6 (base64 fragment in zbx_session cookie, M1)
bytes
J1c2VybmFtZV9hdHRyaWJ1dGUiO (base64 fragment in zbx_session cookie, M2)
bytes
idXNlcm5hbWVfYXR0cmlidXRlIj (base64 fragment in zbx_session cookie, M3)
bytes
PCRE: /(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/ (saml_data base64 variants in zbx_session cookie)
  • Exploit targets GET requests to /index_sso.php (or /zabbix/index_sso.php) with a crafted zbx_session cookie containing a base64-encoded JSON payload with a saml_data.usernameAttribute field (e.g., 'Admin') and empty sessionid/sign fields, triggering a 302 redirect to zabbix.php?action=dashboard.view on success.
  • Three Snort/ET rules (SIDs 2035371, 2035372, 2035373) cover three base64 byte-boundary variants of the username_attribute key in the zbx_session cookie. All three share the same URI (/index_sso.php) and PCRE for saml_data base64 variants. Deploy all three to ensure full coverage regardless of cookie padding alignment.
  • Shodan fingerprinting can identify exposed Zabbix instances via favicon hash 892542951 or title 'zabbix-server'; FOFA queries combining app='ZABBIX-监控系统' with body='saml' can narrow to instances with SAML enabled.
  • A successful bypass results in an HTTP 302 redirect to the Zabbix dashboard. Monitor web server logs for 302 responses on /index_sso.php requests that contain the zbx_session cookie but originate from unauthenticated sessions.
  • ·This vulnerability only affects Zabbix instances where SAML SSO authentication has been explicitly enabled — it is NOT enabled by default. Instances using only native Zabbix authentication are not affected.
  • ·The attacker must know a valid Zabbix username to forge the session. The guest account (which could be used without knowing a username) is disabled by default.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck9.1CRITICAL
cisa9.8CRITICAL
vendor_debian9.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.