What is the severity of CVE-2024-22122?

CVE-2024-22122 has been classified as a critical vulnerability due to its potential for remote code execution via AT command injection.

How do I fix CVE-2024-22122?

To fix CVE-2024-22122, you should upgrade to version 7.0.0-beta3 or later, which includes patches for this vulnerability.

What versions of Zabbix are affected by CVE-2024-22122?

CVE-2024-22122 affects Zabbix versions from 5.0.0 to 6.4.15 and all alpha, beta, and rc versions of 7.0.0.

What are the potential impacts of CVE-2024-22122?

The impact of CVE-2024-22122 includes unauthorized access to system functions through command injection, potentially leading to complete system compromise.

Is it possible to exploit CVE-2024-22122 without authentication?

Yes, CVE-2024-22122 can be exploited without authentication by submitting specially crafted input in the SMS notification configuration.

Vulnerability/
CVE-2024-22122

critical

9.1

CWE

9/8/2024

10/12/2024

CVE-2024-22122: AT(GSM) Command Injection

First published: Fri Aug 09 2024(Updated: )

Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

Credit: security@zabbix.com

Affected Software	Affected Version	How to fix
Zabbix Server	>=5.0.0<=5.0.42
Zabbix Server	>=6.0.0<=6.0.30
Zabbix Server	>=6.4.0<=6.4.15
Zabbix Server	=7.0.0-alpha1
Zabbix Server	=7.0.0-alpha2
Zabbix Server	=7.0.0-alpha3
Zabbix Server	=7.0.0-alpha4
Zabbix Server	=7.0.0-alpha5
Zabbix Server	=7.0.0-alpha6
Zabbix Server	=7.0.0-alpha7
Zabbix Server	=7.0.0-alpha8
Zabbix Server	=7.0.0-alpha9
Zabbix Server	=7.0.0-beta1
Zabbix Server	=7.0.0-beta2
Zabbix Server	=7.0.0-beta3
Zabbix Server	=7.0.0-rc1
Zabbix Server	=7.0.0-rc2

Never miss a vulnerability like this again

Reference Links

https://support.zabbix.com/browse/ZBX-25012

Frequently Asked Questions

What is the severity of CVE-2024-22122?
CVE-2024-22122 has been classified as a critical vulnerability due to its potential for remote code execution via AT command injection.
How do I fix CVE-2024-22122?
To fix CVE-2024-22122, you should upgrade to version 7.0.0-beta3 or later, which includes patches for this vulnerability.
What versions of Zabbix are affected by CVE-2024-22122?
CVE-2024-22122 affects Zabbix versions from 5.0.0 to 6.4.15 and all alpha, beta, and rc versions of 7.0.0.
What are the potential impacts of CVE-2024-22122?
The impact of CVE-2024-22122 includes unauthorized access to system functions through command injection, potentially leading to complete system compromise.
Is it possible to exploit CVE-2024-22122 without authentication?
Yes, CVE-2024-22122 can be exploited without authentication by submitting specially crafted input in the SMS notification configuration.

agent/title
agent/weakness
agent/first-publish-date
agent/description
agent/type
agent/author
agent/event
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/severity
agent/source
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/zabbix
canonical/zabbix server
version/zabbix server/5.0.0
version/zabbix server/5.0.42
version/zabbix server/6.0.0
version/zabbix server/6.0.30
version/zabbix server/6.4.0
version/zabbix server/6.4.15
version/zabbix server/7.0.0-alpha1
version/zabbix server/7.0.0-alpha2
version/zabbix server/7.0.0-alpha3
version/zabbix server/7.0.0-alpha4
version/zabbix server/7.0.0-alpha5
version/zabbix server/7.0.0-alpha6
version/zabbix server/7.0.0-alpha7
version/zabbix server/7.0.0-alpha8
version/zabbix server/7.0.0-alpha9
version/zabbix server/7.0.0-beta1
version/zabbix server/7.0.0-beta2
version/zabbix server/7.0.0-beta3
version/zabbix server/7.0.0-rc1
version/zabbix server/7.0.0-rc2