cbcvebase.
CVE-2024-22120
published 2024-05-17

CVE-2024-22120: Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.62%
99.5th percentile
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:6.0.29+dfsg-1 (forky)zabbix 1:6.0.29+dfsg-1 (forky)
zabbixzabbix
zabbixzabbix>= 0 < 1:6.0.29+dfsg-11:6.0.29+dfsg-1
zabbixzabbix>= 0 < 1:6.0.29+dfsg-11:6.0.29+dfsg-1
zabbixzabbix>= 6.0.0 < 6.0.286.0.28
zabbixzabbix6.0.0 – 6.0.27
zabbixzabbix>= 6.4.0 < 6.4.136.4.13
zabbixzabbix6.4.0 – 6.4.12
zabbixzabbix7.0.0alpha1 – 7.0.0beta1

Detection & IOCsextracted from sources · hover to see the quote

command{"request": "command", "sid": "<sid>", "scriptid": "3", "clientip": "' + (select sleep(10)) + '", "hostid": "<hostid>"}
otherhttp.favicon.hash:892542951
othericon_hash=892542951 (FOFA query)
snort
alert tcp any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)"; flow:established,to_server; content:"ZBXD|01|"; fast_pattern; startswith; content:"|22|clientip|22 3a|"; pcre:"/^[^\x2c]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,support.zabbix.com/browse/ZBX-24505; reference:cve,2024-22120; classtype:web-application-attack; sid:2055989; rev:2; metadata:affected_product Zabbix, attack_target Server, tls_state plaintext, created_at 2024_09_19, cve CVE_2024_22120, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
ZBXD\x01 (Zabbix protocol header)
  • Exploitation requires an authenticated session (SID). Correlate Zabbix audit log entries for 'clientip' values containing SQL syntax (quotes, parentheses, SQL keywords) as a post-exploitation indicator.
  • Use Shodan/FOFA to identify exposed Zabbix servers as potential targets: search for http.title 'zabbix-server' or favicon hash 892542951.
  • The exploit traffic is plaintext (tls_state: plaintext), making it inspectable at the network perimeter without TLS decryption.
  • ·Exploitation requires a valid authenticated session ID (SID) and a known hostid — this is a post-authentication vulnerability (PR:H in CVSS). Detection rules should account for the fact that unauthenticated probes alone will not trigger the vulnerable code path.
  • ·The Snort rule (sid:2055989) targets plaintext Zabbix protocol traffic only. If Zabbix server communication is tunneled or encrypted, the rule will not fire.
  • ·Fixed versions are 6.0.28rc1, 6.4.13rc1, and 7.0.0beta2 (upstream); Debian stable fix is 1:6.0.29+dfsg-1. Debian 'bookworm' remains open as of the source snapshot.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.