CVE-2024-22120

CRITICAL EXPLOITED NUCLEI

Zabbix 6.0.0-6.0.27 - Time-Based Blind SQL Injection via Audit Log Client IP Field

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-22120 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including W01fh4cker, cybersecplayground, g4nkd. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2024-22120, demonstrating a time-based SQL injection attack against Zabbix servers to extract session keys and achieve remote code execution (RCE) via script manipulation. The PoC includes multiple scripts for session extraction, admin session generation, and RCE payload execution.

Description

Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.

Exploits (5)

nomisec WORKING POC 129 stars
by W01fh4cker · remote
https://github.com/W01fh4cker/CVE-2024-22120-RCE

This repository contains functional exploit code for CVE-2024-22120, demonstrating a time-based SQL injection attack against Zabbix servers to extract session keys and achieve remote code execution (RCE) via script manipulation. The PoC includes multiple scripts for session extraction, admin session generation, and RCE payload execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zabbix (version not explicitly specified, but likely affects multiple versions)
Auth required
Prerequisites: Valid low-privileged user session ID (sid) · Accessible host ID (hostid) · Network access to Zabbix server (default port 10051)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2024/CVE-2024-22120.md

The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-22120, which involves a SQL injection vulnerability in Zabbix that can lead to RCE. The writeups include vulnerability descriptions, proof-of-concept details, mitigation strategies, and references to external resources.

Classification
Writeup 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Zabbix Monitoring System
No auth needed
Prerequisites: Access to the vulnerable Zabbix endpoint
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by g4nkd · remote-auth
https://github.com/g4nkd/CVE-2024-22120-RCE-with-gopher

This repository contains a functional exploit for CVE-2024-22120, leveraging XXE and gopher protocol to achieve RCE on Zabbix 6.0.27. The exploit chains SQL injection for session ID extraction and script execution for reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zabbix 6.0.27
Auth required
Prerequisites: Low-privileged session ID · Host ID · PHP session ID · Access to Zabbix web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by isPique · remote-auth
https://github.com/isPique/CVE-2024-22120-RCE-with-gopher

This repository contains a functional exploit for CVE-2024-22120, leveraging a time-based SQL injection to extract an admin session ID and subsequently achieving RCE via a reverse shell. The exploit uses a gopher protocol to bypass restrictions and execute commands on the Zabbix server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zabbix (version not specified)
Auth required
Prerequisites: Low-privileged Zabbix user credentials · Access to a host ID · PHP session ID · Network access to the Zabbix server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by darkbytehunter · remote
https://github.com/darkbytehunter/CVE-2024-22120-RCE-with-gopher

This repository contains a functional exploit for CVE-2024-22120, leveraging a time-based SQL injection to extract an admin session ID and then using a Gopher-based SSRF to execute a reverse shell on a Zabbix server. The exploit requires low-privileged credentials and targets a vulnerability in Zabbix's API/webhook functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zabbix (version not explicitly specified)
Auth required
Prerequisites: low-privileged Zabbix user credentials (SID, PHPSESSID) · accessible host ID · network connectivity to the Zabbix server
devstral-2 · analyzed May 14, 2026 Full analysis →

Nuclei Templates (1)

Zabbix Server - Time-Based Blind SQL injection
CRITICALby CodeStuffBreakThings
Shodan: http.title:"zabbix-server" || cpe:"cpe:2.3:a:zabbix:zabbix" || http.favicon.hash:"892542951"
FOFA: icon_hash=892542951 || app="zabbix-监控系统" && body="saml" || title="zabbix-server"

References (1)

Core 1
Core References

Scores

CVSS v3 9.1
EPSS 0.7662
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-03-19
CWE
CWE-20
Status published
Products (2)
zabbix/zabbix 7.0.0 alpha1 (10 CPE variants)
zabbix/zabbix 6.0.0 - 6.0.28
Published May 17, 2024
Tracked Since Feb 18, 2026