CVE-2024-22116 | An administrator with restricted permissions can exploit the… | CVSS 9.9 CRITICAL

Description

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

Metadata

CVE ID: CVE-2024-22116
State: PUBLISHED
Assigner: Zabbix
Reserved: 2024-01-05 07:44 UTC
Published: 2024-08-09 10:16 UTC
Last updated: 2025-11-03 21:53 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: Zabbix / Zabbix
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Zabbix	Zabbix	—	6.4.9 ≤ 6.4.15, 7.0.0alpha1 ≤ 7.0.0rc2

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://support.zabbix.com/browse/ZBX-25016