CVE-2022-23131

What is Zabbix?

Zabbix is one of the most widely deployed open-source enterprise monitoring platforms, used by thousands of organizations to monitor servers, network devices, applications, and cloud infrastructure. Its web frontend is the primary interface for configuration and alerting, often accessible from the internet for remote NOC access. Because Zabbix agents run with elevated privileges on monitored systems, compromising the Zabbix server provides a powerful foothold into an organization's entire monitored infrastructure.

Overview

CVE-2022-23131 is a critical authentication bypass in the Zabbix Frontend when SAML-based single sign-on is configured. Zabbix stores session data insecurely on the client side in a way that can be forged — an unauthenticated attacker can craft a manipulated session cookie to bypass authentication entirely and gain access as any user, including the built-in Admin superuser. CVSS 9.1. Active exploitation was confirmed quickly, and CISA added it to KEV on February 22, 2022 — about six weeks after the patch.

Affected Versions

Note: Only deployments with SAML SSO configured are affected. Deployments using only username/password authentication are not directly affected by this specific CVE.

Technical Details

The vulnerability (CWE-290 — authentication bypass by spoofing) stems from Zabbix Frontend storing SSO session attributes in a client-side cookie without adequate integrity protection. When SAML authentication is configured, the frontend relies on data in the session cookie to determine the authenticated user identity. Because this data can be tampered with by a client, an attacker can forge the session to impersonate any Zabbix user.

Attack flow:

1. Visit the Zabbix Frontend login page with SAML SSO enabled
2. Observe the SAML session cookie set by the application
3. Manipulate the cookie value to specify the target username (e.g., Admin)
4. The frontend accepts the forged session and logs the attacker in as that user

No credentials, SAML IDP access, or prior authentication is required — only the ability to reach the Zabbix web interface.

Discovery

The vulnerability was reported to Zabbix via their bug tracker and patched in January 2022. Public proof-of-concept exploit code became available shortly after, accelerating exploitation.

Exploitation Context

The Zabbix Admin account has full control over the monitoring platform, including the ability to:

• Execute scripts on monitored hosts via Zabbix's built-in remote command execution
• Modify alert configurations and escalation policies
• Access credentials stored in Zabbix macros and configurations
• Use Zabbix agent access to pivot to monitored systems

Attackers exploited this to gain instant admin access to Zabbix instances, then leveraged Zabbix's built-in script execution to run OS commands on monitored servers — turning the monitoring platform into a command-and-control infrastructure. Cryptomining and further network reconnaissance were the most commonly observed post-exploitation activities.

Remediation

1. Upgrade Zabbix: Update to Zabbix 5.4.9rc1/5.4.9+ or 6.0.0beta1/6.0.0+ immediately.
2. Restrict Frontend access: Place the Zabbix web interface behind a VPN or IP allowlist — it should not be accessible from untrusted networks.
3. Audit for compromise: Check Zabbix audit logs (Administration > Audit) for unauthorized login events. Review recent script execution history for unexpected commands.
4. Rotate Admin credentials: After patching, change the Zabbix Admin password and review user accounts for unauthorized additions.
5. Review SAML configuration: After patching, verify your SAML/SSO settings are correct and that session handling is using the patched code path.
6. Monitor remote script execution: Zabbix's ability to run scripts on monitored hosts is a significant lateral movement vector — restrict which users have script execution permissions.