CVE-2013-5743

CRITICAL

Zabbix 1.8-1.8.17 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-5743. PoCs published by Jason Kratzer, including Metasploit module exploits/linux/http/zabbix_sqli.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated SQL injection in Zabbix <= 2.0.8 to extract an admin session ID, then uploads and executes a malicious script via 'scripts_exec.php' for remote code execution.

Description

Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.

Exploits (2)

exploitdb WORKING POC

by Jason Kratzer · rubywebappsunix

https://www.exploit-db.com/exploits/28972

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated SQL injection in Zabbix <= 2.0.8 to extract an admin session ID, then uploads and executes a malicious script via 'scripts_exec.php' for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zabbix <= 2.0.8

No auth needed

Prerequisites: Zabbix instance with guest access enabled · Administrator session active in the database

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zabbix_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated SQL injection vulnerability in Zabbix versions 2.0.8 and lower to retrieve an active session ID, then leverages it to upload and execute a malicious script via 'scripts_exec.php' for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zabbix <= 2.0.8

No auth needed

Prerequisites: Zabbix instance with guest access enabled · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Broken Link x_refsource_confirm

https://admin.fedoraproject.org/updates/zabbix-1.8.18-1.el6

Broken Link x_refsource_confirm

https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6

Broken Link x_refsource_confirm

https://admin.fedoraproject.org/updates/zabbix20-2.0.9-1.el5

Patch, Vendor Advisory x_refsource_confirm

https://support.zabbix.com/browse/ZBX-7091

Scores

CVSS v3 9.8

EPSS 0.7779

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

zabbix/zabbix 1.8 - 1.8.17

Published Dec 11, 2019

Tracked Since Feb 18, 2026