A significant security flaw has been identified in Zabbix Agent and Agent 2 for Windows, potentially allowing attackers with local system access to escalate their privileges through dynamic link library (DLL) injection attacks. This vulnerability, designated as CVE-2025-27237 with a Common Vulnerability Scoring System (CVSS) score of 7.3 (High), affects multiple versions of the widely-used network monitoring solution and has led to the prompt release of security updates by Zabbix.
Understanding the Vulnerability
The core issue arises from improper handling of OpenSSL configuration files within Windows environments. Specifically, the Zabbix agents load the OpenSSL configuration from a file path that lacks adequate access controls, permitting users with limited privileges to modify the configuration content. This oversight creates an opportunity for malicious actors to inject DLLs, thereby gaining elevated system privileges.
Technical Details
The vulnerability is present in how Zabbix Agent and Agent 2 process OpenSSL configuration files on Windows systems. During initialization, these agents load the OpenSSL configuration from a path that can be altered by users with restricted privileges. An attacker with local system access can modify the OpenSSL configuration file to reference a malicious DLL, which is then loaded during the agent’s startup or upon system reboot.
The affected versions include:
– Zabbix Agent for Windows 6.0.0 to 6.0.40
– Zabbix Agent for Windows 7.0.0 to 7.0.17
– Zabbix Agent 2 for Windows 7.2.0 to 7.2.11
– Zabbix Agent 2 for Windows 7.4.0 to 7.4.1
Exploiting this vulnerability requires specific conditions: the attacker must have existing access to the Windows system where Zabbix Agent is installed, and the malicious configuration becomes effective only after the Zabbix Agent service restarts or the system reboots.
Discovery and Reporting
Security researcher himbeer discovered this vulnerability and reported it through Zabbix’s HackerOne bug bounty program. The exploitation technique leverages the trust relationship between the Zabbix Agent service and the OpenSSL library, enabling attackers to execute arbitrary code with the elevated privileges of the agent process.
Risk Assessment
The potential risks associated with this vulnerability include:
– Local Privilege Escalation: Attackers can elevate their privileges from a standard user to higher levels, potentially gaining control over the system.
– Unauthorized Access: Elevated privileges may allow access to sensitive information and critical system resources.
– System Compromise: With higher privileges, attackers can install malicious software, modify system configurations, or disrupt operations.
Mitigation Measures
To address this security flaw, Zabbix has released patches for all affected product lines. The fixed versions are:
– Zabbix Agent for Windows 6.0.41
– Zabbix Agent for Windows 7.0.18
– Zabbix Agent 2 for Windows 7.2.12
– Zabbix Agent 2 for Windows 7.4.2
These updates implement proper access controls for OpenSSL configuration file paths and validate configuration content before processing. System administrators are strongly advised to update their Zabbix Agent installations to the corresponding patched versions immediately. As no specific workarounds have been provided, applying these security updates is the primary mitigation strategy.
Recommendations for Organizations
Organizations utilizing Zabbix monitoring infrastructure should prioritize these updates, especially in environments where multiple users have local system access or where monitoring agents operate with elevated privileges. Given the widespread deployment of Zabbix solutions in enterprise settings, this security flaw could potentially impact numerous Windows-based monitoring installations globally.
Conclusion
The discovery of CVE-2025-27237 underscores the importance of vigilant security practices and prompt response to identified vulnerabilities. By updating to the latest patched versions of Zabbix Agent and Agent 2 for Windows, organizations can mitigate the risks associated with this flaw and maintain the integrity of their monitoring systems.
