Zabbix urges users to upgrade immediately due to a serious bug in the open source platform.

The Zabbix monitoring platform is vulnerable to a critical error. CVE-2024-42327 allows low-privilege users on the front end to escalate their privileges via SQL injection, potentially wreaking havoc. Other roles with API access can also exploit the error. Taking the severity into account, the CVSS score is 9.9.

A patch is now available. Zabbix urges users to install it immediately. The following editions of the open source platform are vulnerable to the error:

• 6.0.0 to 6.0.31
• 6.4.0 to 6.4.16
• 7.0.0

An upgrade to 6.0.32rc1, 6.4.17rc1 or 7.0.1rc1 brings relief.

‘Unforgivable

SQL injections have been around forever and are easy to exploit. On the other hand, it is not that difficult for companies to eliminate such errors before the software goes into production. The American FBI and CISA therefore generally consider SQL injection bugs to be inexcusable.

Zabbix itself provides further details on its website. Now that the bug is publicly known, Zabbix administrators should take action quickly. Finally, a hacker who somehow obtains a user account’s login credentials can easily expand their access as long as the leak is not closed.