CVE-2022-23134

What is Zabbix?

Zabbix is a widely deployed open-source network monitoring platform used by enterprises, ISPs, and government organizations to monitor servers, network devices, applications, and services. The Zabbix Frontend is the PHP-based web interface that administrators use to configure monitoring, view dashboards, and manage alerts. Because Zabbix monitors the entire infrastructure and often stores SNMP community strings, SSH credentials, and API keys for the systems it monitors, unauthorized access to Zabbix configuration is a significant security concern.

Overview

CVE-2022-23134 is an improper access control vulnerability (CWE-284) in the Zabbix Frontend web application. After a Zabbix installation is completed, the setup wizard (/zabbix/setup.php) remains accessible and can be navigated through its steps again by unauthenticated or non-admin users. An attacker can skip the authentication checks on certain wizard steps by directly accessing step URLs, potentially modifying Zabbix database configuration settings. Despite its low CVSS score (3.7), CISA added this to KEV in February 2022, reflecting active exploitation.

Affected Versions

Technical Details

The Zabbix web setup wizard (setup.php) guides administrators through the initial database configuration of a fresh Zabbix installation. After installation completes, the wizard was intended to be inaccessible — but Zabbix failed to enforce proper authentication and state validation on individual wizard steps:

• Root cause: The setup wizard's step progression checks were insufficient — an attacker could navigate directly to later steps (bypassing earlier authentication requirements) or revisit setup after initial installation
• Access condition: The setup.php file remained present and accessible on installed Zabbix instances
• Impact: An attacker who can pass step checks can reach the database configuration step and potentially modify the database connection parameters — redirecting Zabbix to connect to an attacker-controlled database, or disrupting the monitoring service
• Exploitation complexity: High (per CVSS) — requires network access to the Zabbix frontend and ability to navigate the step bypass

Discovery

The vulnerability was reported via the Zabbix bug tracker (ZBX-20384). Patches were released in December 2021; the CVE was assigned in January 2022.

Exploitation Context

The CVSS score of 3.7 (LOW) reflects the high attack complexity and limited direct impact of the vulnerability in isolation. However, CISA's February 2022 KEV addition — less than two months after the CVE was published — reflects that attackers were actively exploiting the access control bypass in practice. Zabbix installations exposed to the internet with unpatched frontends were targeted. Attackers who successfully modify Zabbix database configuration can disrupt monitoring (causing alerts to fail) or redirect Zabbix to exfiltrate infrastructure data to an attacker-controlled database.

Remediation

1. Upgrade Zabbix Frontend to 5.0.19, 5.4.9, 6.0.0alpha7, or any later release
2. Restrict access to the Zabbix Frontend (/zabbix/ or configured URL) to internal networks and VPN-connected administrators; Zabbix should not be exposed directly to the internet
3. After installation, verify setup.php is not accessible externally — or restrict it via web server configuration:

   location ~ ^/zabbix/setup\.php { deny all; }
   

4. Review Zabbix database configuration for unauthorized changes to connection parameters
5. Enable Zabbix audit logging and monitor for unexpected configuration changes