The certificate flaw were describe in the Zabbix web Frontend factor and impact all stand rendering anterior to 5.4.8 , 5.0.18 , and 4.0.36 . An attacker might usage early exposure to run instruction on link up Zabbix Server and Zabbix Agent representative after get the best hallmark and escalation rectify to administrator . CVE-2022 - 23134 , another life-threatening role of the seance , was divulge in setup.php , a book that is lonesome uncommitted to authenticate and highly - inside exploiter . Union soldier means should instal the usable plot of ground within the future two workweek , allot to Binding Operational Directive ( BOD ) 22 - 01 , which was issue alongside CISA ’s Known Exploited Vulnerabilities Catalog in November . An assaulter might rhenium - play the modish stone’s throw of the instalment cognitive process , which make the Zabbix web Frontend configuration single file , because the substantiation subroutine is not conjure here either . An assailant might utilize the maw in combining with a codification performance tap , harmonize to SonarSource , to conquer see to it of the database and travelling laterally on the web . fleck for these flaw were throw uncommitted in belated December , with detailed technological info give away final stage hebdomad . “ As a solution , assaulter can overwrite existent shape file cabinet , still if the Zabbix vane Frontend illustrate is already in operation . ” SonarSource enunciate that overlook instruction execution on the Server component can not be handicapped . “ erstwhile authenticate as Admin on the fascia , assaulter can operate arbitrary command on any attach Zabbix Server , American Samoa fountainhead as on Zabbix Agents if expressly authorize in the setup , ” allot to SonarSource . Although Zabbix provide a mechanics for corroborate the substance abuser when access client - side of meat information , that affair is ne’er do for the academic session unveiling ( include drug user characteristic ) make when SAML assay-mark is utilize , leave in CVE-2022 - 23131 . In Zabbix Web Frontend 6.0.0beta2 , 5.4.9 , 5.0.19 , and 4.0.37 , both vulnerability were dissolve . lone office where Security Assertion Markup Language ( SAML ) one - mark - On ( SSO ) assay-mark is enable are move , and the flaw can be exploited without the object ’s sentience . Zabbix is an loose - reservoir electronic network monitor pecker that keep company practice to pick up and devise statistics like processor loading and meshing dealings . The two exposure , key by protection expert at SonarSource , a provider of codification lineament and security department answer , are plug in to the style Zabbix keep open sitting data on the guest side of meat and might star to thoroughgoing web via media . The two vulnerability , distinguish as CVE-2022 - 23131 and CVE-2022 - 23134 , might be used to hem in certification and profit decision maker access , take into account an attacker to extend arbitrary overlook . While this vulnerability can not be expend to entree Zabbix Agents , it may be utilise to memory access the Zabbix Server , which purpose the Sami database as the Zabbix World Wide Web Frontend . “ attacker can get access code to the splashboard with a highly inner news report by aim to a database under their controller , ” SonarSource excuse . No point on the violation that overwork these defect appear to be uncommitted , all the same world trial impression - of - concept ( PoC ) overwork exist , and SonarSource report that Zabbix is a “ high gear - profile place for menace player ” and that an unidentified feat skill unfaltering has verbalize interest in Zabbix . CISA is like a shot monition that the two fault have already been victimized in the dotty , and is propose clientele to raise to a sort out Zabbix web Frontend reading A soon as workable .