CVE-2025-27240 — SQL Injection in Zabbix

CWE-89 — SQL Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 79.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedSep 12

Description

A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDzabbix/zabbix6.0.0 — 6.0.34+2

▶Debianzabbix/zabbix< 1:7.0.5+dfsg-1+1

▶CVEListV5zabbix/zabbix6.0.0 — 6.0.33+2

🔴Vulnerability Details

CVEList

Secondary-order SQL injection in Zabbix Server when deleting an autoregistered host↗2025-09-12

▶

OSV

CVE-2025-27240: A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field↗2025-09-12

▶

GHSA

GHSA-pvp6-r25h-5wh3: A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field↗2025-09-12

▶

📋Vendor Advisories

Debian

CVE-2025-27240: zabbix - A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts b...↗2025

▶