cbcvebase.
CVE-2024-42327
published 2024-11-27

CVE-2024-42327: A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An…

PriorityP185critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
78.83%
99.5th percentile
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:7.0.1+dfsg-1 (forky)zabbix 1:7.0.1+dfsg-1 (forky)
zabbixzabbix>= 0 < 1:7.0.1+dfsg-11:7.0.1+dfsg-1
zabbixzabbix>= 0 < 1:7.0.1+dfsg-11:7.0.1+dfsg-1
zabbixzabbix>= 6.0.0 < 6.0.326.0.32
zabbixzabbix6.0.0 – 6.0.31
zabbixzabbix>= 6.4.0 < 6.4.176.4.17
zabbixzabbix6.4.0 – 6.4.16
zabbixzabbix>= 7.0.0 < 7.0.17.0.1
zabbixzabbix7.0.0 – 7.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/api_jsonrpc.php
command"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"]
path/api_jsonrpc.php
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zabbix Server SQLi API user.get Method (CVE-2024-42327)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api_jsonrpc.php"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|method|22 3a|"; content:"|22|user.get|22|"; within:11; content:"|22|selectRole|22 3a|"; pcre:"/^\s*?\x5b/R"; reference:url,www.linkedin.com/pulse/el-%C3%B3xido-y-la-vulnerabilidad-cr%C3%ADtica-en-zabbix-alejandro-ramos-dsvpf/; reference:cve,2024-42327; classtype:web-application-attack; sid:2058079; rev:1; metadata:affected_product Zabbix, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, cve CVE_2024_42327, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor POST requests to /api_jsonrpc.php with JSON body containing 'user.get' method and a 'selectRole' parameter with an array value — this is the specific API call path exploited by CVE-2024-42327.
  • The SQLi payload is injected into the selectRole field of the user.get API call. Look for time-based blind SQLi patterns such as SLEEP() or boolean expressions appended to field names like 'readonly AND (SELECT(SLEEP(5)))'.
  • The vulnerability is in the CUser class addRelatedObjects function, called via CUser.get. Any authenticated API user (including default User role) can trigger it — alert on user.get API calls with unexpected selectRole array contents.
  • A successful exploit attempt will NOT return an 'error' field in the JSON response. Absence of error on a crafted selectRole payload can be used as a positive indicator of vulnerability.
  • ·The Emergent Threats Snort rule (sid:2058079) is marked with tls_state TLSDecrypt, meaning it will only fire on TLS-decrypted traffic. Deploy with SSLDecrypt/TLS inspection enabled for full coverage.
  • ·Affected versions span a wide range: 6.0.0–6.0.31, 6.4.0–6.4.16, and 7.0.0. Ensure detection coverage applies to all deployed Zabbix instances in these version ranges.
  • ·Any non-admin user with API access (including the default User role) can exploit this — do not rely on privilege-based access controls alone as a mitigation.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.