CVE-2025-27237

HIGH

Zabbix Agent/Agent 2 <Windows> - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-27237. PoCs published by HackingLZ.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2025-27237, a local privilege escalation vulnerability in Zabbix Agent/Agent2 for Windows. The exploit leverages OpenSSL configuration file hijacking to load a malicious DLL with SYSTEM privileges.

Description

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.

Exploits (2)

nomisec WORKING POC 19 stars

by HackingLZ · poc

https://github.com/HackingLZ/CVE-2025-27237

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2025-27237, a local privilege escalation vulnerability in Zabbix Agent/Agent2 for Windows. The exploit leverages OpenSSL configuration file hijacking to load a malicious DLL with SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Zabbix Agent/Agent2 for Windows (versions 6.0.0-6.0.40, 7.0.0-7.0.17, 7.2.0-7.2.11, 7.4.0-7.4.1)

No auth needed

Prerequisites: Local user access to Windows system · Zabbix Agent configured with TLS · Ability to create directories at C:\ root · Service restart or system reboot

MITRE ATT&CK

T1574.001 - DLL T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WORKING POC

by HackingLZ · poc

https://gitlab.com/HackingLZ/CVE-2025-27237

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-27237, demonstrating local privilege escalation in Zabbix Agent 2 for Windows via OpenSSL configuration file hijacking. The exploit includes detailed steps, malicious DLL code, and verification methods.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Zabbix Agent/Agent2 for Windows 6.0.0-6.0.40, 7.0.0-7.0.17, 7.2.0-7.2.11, 7.4.0-7.4.1

Auth required

Prerequisites: Local user access to Windows system with Zabbix Agent installed · Zabbix Agent configured with TLS · Ability to create directories at C:\ root

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://support.zabbix.com/browse/ZBX-27061

Scores

CVSS v4 7.3

EPSS 0.0033

EPSS Percentile 24.8%

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (4)

Zabbix/Zabbix 6.0.0 - 6.0.40

Zabbix/Zabbix 7.0.0 - 7.0.17

Zabbix/Zabbix 7.2.0 - 7.2.11

Zabbix/Zabbix 7.4.0 - 7.4.1

Published Oct 03, 2025

Tracked Since Feb 18, 2026