vendor:
Zabbix Server
by:
Alexander Gurin
7,5
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Zabbix Server
Affected Version From: 2.2
Affected Version To: 3.0.3
Patch Exists: YES
Related CWE: N/A
CPE: a:zabbix:zabbix_server
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux (Debian, CentOS)
2016
Zabbix RCE with API JSON-RPC
This exploit allows an attacker to execute arbitrary code on a vulnerable Zabbix server using the API JSON-RPC. The exploit requires authentication and the attacker must know the hostid of the vulnerable server. The exploit was tested on Linux (Debian, CentOS) and works on Zabbix versions 2.2 - 3.0.3.
Mitigation:
Ensure that the Zabbix server is up to date and that all users have strong passwords.
