CVE-2025-49641

Summary

A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix6.0.0 <= 6.0.40affected
ZabbixZabbix7.0.0 <= 7.0.17affected
ZabbixZabbix7.2.0 <= 7.2.11affected
ZabbixZabbix7.4.0 <= 7.4.1affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References