CVE-2025-27231

Summary

The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix6.0.0 <= 6.0.40affected
ZabbixZabbix7.0.0 <= 7.0.17affected
ZabbixZabbix7.2.0 <= 7.2.11affected
ZabbixZabbix7.4.0 <= 7.4.1affected

Weaknesses

  • CWE-522: CWE-522: Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References