Security Vulnerability Identified in Zabbix Agent for Windows
A recently discovered security vulnerability in the Zabbix Agent and Agent2 for Windows has raised concerns about local privilege escalation. The vulnerability, designated CVE-2025-27237, is rooted in how these agents handle the OpenSSL configuration file across Windows systems.
Overview of Zabbix Agents
Zabbix is a popular open-source platform used for network monitoring. It deploys its agents with elevated privileges to gather comprehensive system performance data. Unfortunately, certain versions of the Windows agents have a flaw where the OpenSSL configuration file is loaded from a directory that can be modified by non-administrative users. This opens an avenue for attackers to escalate their privileges.
Technical Details of CVE-2025-27237
The vulnerability affects specific versions of the Zabbix Agent and Agent2 for Windows, including:
- 6.0.0 to 6.0.40
- 7.0.0 to 7.0.17
- 7.2.0 to 7.2.11
- 7.4.0 to 7.4.1
In these versions, the agent accesses the OpenSSL configuration from a user-writable directory. If a malicious user alters this file, they could inject a harmful dynamic link library (DLL) that executes when the Zabbix service or system is restarted. This exploitation grants SYSTEM-level privileges, enabling attackers to gain extensive control over the affected machine.
The vulnerability carries a high severity rating, reflected in its CVSS score of 7.3, indicating significant risk. The scoring vector is as follows:
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Discovery and Official Response
The vulnerability was responsibly disclosed by security researcher Himbeer. The Zabbix Support Team acknowledged it under internal reference ZBX-27061, confirming it as a genuine security defect. The issue has been classified as major and addressed in newer releases.
The specific handling of the OpenSSL configuration file was flagged under “ZABBIX BUGS AND ISSUES,” leading to swift action for resolution.
Available Patches and Recommendations
To mitigate the risks associated with CVE-2025-27237, users of the affected versions are strongly encouraged to update their software immediately. The patched versions include:
- 6.0.41
- 7.0.18
- 7.2.12
- 7.4.2
These updates rectify the insecure file path handling, preventing low-privileged users from altering the OpenSSL configuration. After applying the updates, it is critical to restart the Zabbix Agent or Agent2 service to ensure that the changes take effect.
At this time, there are no known workarounds available, making the official patches the only effective solution to this vulnerability.
Implications of the Vulnerability
While exploiting this vulnerability requires local access, the implications are significant. Successfully executing malicious code with SYSTEM privileges allows attackers to bypass user-level security restrictions, install unauthorized software, access sensitive information, and potentially facilitate further incursions into the wider network.
Given Zabbix’s essential role in enterprise and infrastructure monitoring, quick action is crucial for those relying on Windows-based agents. The deployment of these agents, which operate with elevated privileges, makes them attractive targets in environments where strict security protocols are necessary.
This incident highlights the importance of routinely auditing software configurations, especially those involving external components like OpenSSL. Administrators should prioritize reviewing systems for affected versions, promptly implement the latest patches, and adhere to best practices to prevent unauthorized file modifications.
For further technical specifications, affected version breakdowns, and detailed update instructions, users can consult the official Zabbix security advisory.
