CVE-2022-23131 - How A Flaw in Zabbix SAML SSO Puts Your Admin Panel at Risk

If you use Zabbix to monitor your IT infrastructure, you probably know it's powerful and widely used. But did you know that a simple mistake in how Zabbix handles SAML Single Sign-On (SSO) authentication could let hackers take over your admin panel—even without a password?

In this article, we'll break down CVE-2022-23131, a critical vulnerability in Zabbix's SAML SSO implementation, show you how a real attack might work, and tell you how to keep your system safe. No fancy jargon—just the essential facts, some example code, links to official resources, and exclusive, clear steps.

Affects: Zabbix Frontend (versions 5.4.—5.4.8, 6..alpha1… up to the fix)

- CVE ID: CVE-2022-23131

Severity: Critical

This bug only shows up if your Zabbix instance uses SAML SSO authentication (this is not the default).

Let’s keep it simple

1. SAML SSO lets you log in with third-party credentials (like from your company's identity provider).

Once you log in, Zabbix remembers your username by putting it in your session data.

3. But Zabbix forgot to double-check that this username in the session really came from a proper SAML login.

A hacker can set their own session data, pretending to be anyone—even an admin.

All a hacker needs is a working Zabbix SAML login page and a username on the system (or just "guest", if it’s enabled).

Ability to set custom session cookies (trivial with browser dev tools or a basic script)

The attacker just sets the correct session value and loads up the panel.

Open your browser's “developer tools” (usually F12).

3. Paste a new PHP session cookie value that includes a manipulated $_SESSION['saml_data']['username'] key set to “Admin”.

Here’s a simple illustration in PHP that shows what the vulnerable session data might look like

<?php
// What Zabbix does in the vulnerable versions:
$_SESSION['saml_data'] = [
    'username' => 'Admin', // You can set this!
    // Normally, Zabbix should check this, but it didn't.
];

// Now Zabbix uses this to grant access
if ($_SESSION['saml_data']['username'] === 'Admin') {
    echo "Welcome, you are admin now!";
    // Full admin privileges
}
?>

In a real exploit, an attacker uses browser tools or a proxy (like Burp Suite) to send this cookie

Cookie: PHPSESSID=modified-session-value

🔗 Original References and Further Reading

- Official Zabbix Security Advisory
- NVD National Vulnerability Database – CVE-2022-23131
- Exploit Details (packet storm)
- Zabbix Release Notes (with fix)

Disable guest account. (It’s off by default after Zabbix 5.x, but double-check.)

- Monitor your user list. Don’t use common usernames like “Admin” if you’re not using SAML carefully.

📢 Final Words

CVE-2022-23131 is a big warning for anyone enabling SAML SSO without looking closely at their security. This vulnerability allowed attackers to log in as *any* user—admin included—by just setting a session value. The good news? It’s fixed now. But only you can protect your own Zabbix!

Check your version, update, and stay safe.

*Need more info? Cast a look at the Zabbix security advisory or reach out to your Zabbix support team for tailored advice.*

Timeline

Published on: 01/13/2022 16:15:00 UTC
Last modified on: 01/19/2022 21:08:00 UTC