cbcvebase.
CVE-2022-23134
published 2022-01-13

CVE-2022-23134: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious…

PriorityP183medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-03-08
Exploited in the wild
EPSS
84.66%
99.7th percentile
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianzabbix< zabbix 1:6.0.7+dfsg-2 (bookworm)zabbix 1:6.0.7+dfsg-2 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
zabbixfrontend
zabbixzabbix
zabbixzabbix>= 0 < 1:6.0.7+dfsg-21:6.0.7+dfsg-2
zabbixzabbix>= 0 < 1:6.0.7+dfsg-21:6.0.7+dfsg-2
zabbixzabbix>= 0 < 1:6.0.7+dfsg-21:6.0.7+dfsg-2
zabbixzabbix5.4.0 – 5.4.8

Detection & IOCsextracted from sources · hover to see the quote

path/zabbix/setup.php
path/setup.php
otherhttp.favicon.hash:892542951
  • Send a GET request to /zabbix/setup.php or /setup.php with the crafted zbx_session cookie containing an INVALID sessionid but check_fields_result:true and step:6. A 200 response containing the words 'Database', 'host', 'port', and 'Zabbix' (all present) indicates a vulnerable instance.
  • Shodan fingerprinting queries for exposed Zabbix instances: search for favicon hash 892542951 or title 'zabbix-server'.
  • FOFA fingerprinting queries for exposed Zabbix instances: icon_hash=892542951, app="zabbix-监控系统" with SAML body, or title="zabbix-server".
  • Google dork for exposed Zabbix server login pages: intitle:"zabbix-server".
  • The vulnerability is in setup.php: after initial setup, unauthenticated users can reach later setup steps by manipulating the zbx_session cookie (setting check_fields_result to true and advancing the step value), bypassing authentication checks.
  • ·The exploit only works if the Zabbix Frontend setup.php is accessible post-installation (i.e., the setup process has been completed but setup.php has not been removed or restricted). The vulnerability is exploitable only when the setup file remains reachable.
  • ·The crafted zbx_session cookie uses an INVALID sessionid and sign, meaning the bypass relies on the server not validating these fields — this behavior may differ across Zabbix versions. Confirmed fixed in Debian packages at version 1:6.0.7+dfsg-2.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vulncheck3.7LOW
cisa5.3MEDIUM
vendor_debian3.7LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.