CVE-2023-32727

MEDIUM

Zabbix Server 4.0.0-4.0.48 - Authenticated Remote Code Execution via icmpping() Function

Title source: llm

Description

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

References (2)

Core 2

Core References

Vendor Advisory

https://support.zabbix.com/browse/ZBX-23857

Mailing List

https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Scores

CVSS v3 6.8

EPSS 0.0087

EPSS Percentile 54.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (2)

zabbix/zabbix_server 7.0.0 alpha1 (4 CPE variants)

zabbix/zabbix_server 4.0.0 - 4.0.49

Published Dec 18, 2023

Tracked Since Feb 18, 2026