CVE-2024-22120
published 2024-05-17CVE-2024-22120: Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.62%
99.5th percentile
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:6.0.29+dfsg-1 (forky) | zabbix 1:6.0.29+dfsg-1 (forky) |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:6.0.29+dfsg-1 | 1:6.0.29+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:6.0.29+dfsg-1 | 1:6.0.29+dfsg-1 |
| zabbix | zabbix | >= 6.0.0 < 6.0.28 | 6.0.28 |
| zabbix | zabbix | 6.0.0 – 6.0.27 | — |
| zabbix | zabbix | >= 6.4.0 < 6.4.13 | 6.4.13 |
| zabbix | zabbix | 6.4.0 – 6.4.12 | — |
| zabbix | zabbix | 7.0.0alpha1 – 7.0.0beta1 | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"request": "command", "sid": "<sid>", "scriptid": "3", "clientip": "' + (select sleep(10)) + '", "hostid": "<hostid>"}
otherhttp.favicon.hash:892542951
othericon_hash=892542951 (FOFA query)
snort
alert tcp any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)"; flow:established,to_server; content:"ZBXD|01|"; fast_pattern; startswith; content:"|22|clientip|22 3a|"; pcre:"/^[^\x2c]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,support.zabbix.com/browse/ZBX-24505; reference:cve,2024-22120; classtype:web-application-attack; sid:2055989; rev:2; metadata:affected_product Zabbix, attack_target Server, tls_state plaintext, created_at 2024_09_19, cve CVE_2024_22120, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
ZBXD\x01 (Zabbix protocol header)
- →Exploitation requires an authenticated session (SID). Correlate Zabbix audit log entries for 'clientip' values containing SQL syntax (quotes, parentheses, SQL keywords) as a post-exploitation indicator. ↗
- →Use Shodan/FOFA to identify exposed Zabbix servers as potential targets: search for http.title 'zabbix-server' or favicon hash 892542951.
- →The exploit traffic is plaintext (tls_state: plaintext), making it inspectable at the network perimeter without TLS decryption.
- ·Exploitation requires a valid authenticated session ID (SID) and a known hostid — this is a post-authentication vulnerability (PR:H in CVSS). Detection rules should account for the fact that unauthenticated probes alone will not trigger the vulnerable code path.
- ·The Snort rule (sid:2055989) targets plaintext Zabbix protocol traffic only. If Zabbix server communication is tunneled or encrypted, the rule will not fire.
- ·Fixed versions are 6.0.28rc1, 6.4.13rc1, and 7.0.0beta2 (upstream); Debian stable fix is 1:6.0.29+dfsg-1. Debian 'bookworm' remains open as of the source snapshot.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-22120: Zabbix server can perform command execution for configured scripts
osv·2024-05-17·CVSS 8.8
CVE-2024-22120 [HIGH] CVE-2024-22120: Zabbix server can perform command execution for configured scripts
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
GHSA
GHSA-625f-58w6-wj9f: Zabbix server can perform command execution for configured scripts
ghsa_unreviewed·2024-05-17
CVE-2024-22120 [CRITICAL] CWE-20 GHSA-625f-58w6-wj9f: Zabbix server can perform command execution for configured scripts
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
VulnCheck
zabbix zabbix Improper Input Validation
vulncheck·2024·CVSS 9.1
CVE-2024-22120 [CRITICAL] zabbix zabbix Improper Input Validation
zabbix zabbix Improper Input Validation
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Affected: zabbix zabbix
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/
Exploit PoC: https://vulncheck.com/xdb/443fa66d8c40; https://vulncheck.com/xdb/01906d16fb19; https://vulncheck.com/xdb/64c958db1eb4
Debian
CVE-2024-22120: zabbix - Zabbix server can perform command execution for configured scripts. After comman...
vendor_debian·2024·CVSS 9.1
CVE-2024-22120 [CRITICAL] CVE-2024-22120: zabbix - Zabbix server can perform command execution for configured scripts. After comman...
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Scope: local
bookworm: open
bullseye: resolved
forky: resolved (fixed in 1:6.0.29+dfsg-1)
sid: resolved (fixed in 1:6.0.29+dfsg-1)
trixie: resolved (fixed in 1:6.0.29+dfsg-1)
Suricata
ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)
suricata·2024-09-19·CVSS 9.1
CVE-2024-22120 [CRITICAL] ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)
ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120)"; flow:established,to_server; content:"ZBXD|01|"; fast_pattern; startswith; content:"|22|clientip|22 3a|"; pcre:"/^[^\x2c]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,support.zabbix.com/browse/ZBX-24505; reference:cve,2024-22120; classtype:web-application-attack; sid:20559
Nuclei
Zabbix Server - Time-Based Blind SQL injection
nuclei·CVSS 8.8
CVE-2024-22120 [HIGH] Zabbix Server - Time-Based Blind SQL injection
Zabbix Server - Time-Based Blind SQL injection
The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
Template:
id: CVE-2024-22120
info:
name: Zabbix Server - Time-Based Blind SQL injection
author: CodeStuffBreakThings
severity: critical
description: |
The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
impact: |
Attackers ca
2024-05-17
Published
Exploited in the wild