cbcvebase.
CVE-2024-22122
published 2024-08-12

CVE-2024-22122: Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on…

PriorityP358critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
1.61%
72.8th percentile
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)
zabbixzabbix
zabbixzabbix>= 0 < 1:5.0.44+dfsg-1+deb11u11:5.0.44+dfsg-1+deb11u1
zabbixzabbix>= 0 < 1:7.0.0+dfsg-11:7.0.0+dfsg-1
zabbixzabbix>= 0 < 1:7.0.0+dfsg-11:7.0.0+dfsg-1
zabbixzabbix5.0.0 – 5.0.42
zabbixzabbix6.0.0 – 6.0.30
zabbixzabbix6.4.0 – 6.4.15
zabbixzabbix7.0.0alpha1 – 7.0.0rc2

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv9.1CRITICAL
vendor_debian3.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.