Zabbix, a leading provider of open-source network and application monitoring tools, has disclosed a critical SQL injection vulnerability (CVE-2024-42327) that could allow attackers with API access to fully compromise affected systems. This flaw, scoring a high CVSSv3 rating of 9.9, exists in the CUser class and impacts Zabbix versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.0. Users are urged to upgrade to patched versions (6.0.32rc1, 6.4.17rc1, and 7.0.1rc1) immediately.
The vulnerability affects a wide range of organizations globally, including notable customers like Dell, the European Space Agency, and Vodacom, highlighting the substantial attack surface. SQL injection flaws, often easy to exploit, remain a persistent security risk despite being flagged as critical weaknesses for decades.
US agencies such as the FBI and CISA have emphasized the severity of such vulnerabilities, labeling them "unforgivable" and advocating for stronger Secure by Design principles among developers. Recent high-profile incidents, like the MOVEit breaches facilitated by SQL injection, demonstrate the catastrophic impact these flaws can have, affecting millions of individuals and thousands of organizations worldwide.
Zabbix's alert underscores the urgent need for proactive vulnerability management and rigorous software quality assurance to prevent exploitation.
Read more...