CVE-2024-22116: Remote code execution within ping script

9.9 CVSS

Description

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

Classification

CVE ID: CVE-2024-22116

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.9

Affected Products

Vendor: Zabbix

Product: Zabbix

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 20.7% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://support.zabbix.com/browse/ZBX-25016

Timeline

2024-12-05 00:32:26 UTC
CVE

Remote code execution within ping script