CVE-2025-27240

Summary

A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix6.0.0 <= 6.0.33affected
ZabbixZabbix6.4.0 <= 6.4.18affected
ZabbixZabbix7.0.0 <= 7.0.3affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Workarounds

Disable any Autoregistration actions that remove hosts.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References