A critical security vulnerability has been discovered in Zabbix Agent and Agent 2 for Windows that allows attackers with local system access to escalate their privileges through DLL injection attacks.
The flaw, tracked as CVE-2025-27237 with a CVSS score of 7.3 (High), affects multiple versions of the popular network monitoring solution and has prompted immediate security updates from Zabbix.
The vulnerability stems from improper handling of OpenSSL configuration files in Windows environments, where the configuration file is loaded from a path that can be modified by low-privileged users.
This design flaw creates an attack vector for malicious actors who can inject dynamic link libraries (DLLs) to gain elevated system privileges.
Zabbix Agent Windows Local Privilege Escalation
The security flaw resides in how Zabbix Agent and Agent 2 process OpenSSL configuration files on Windows systems.
When these agents initialize, they load the OpenSSL configuration from a file path that has insufficient access controls, allowing users with limited privileges to modify the configuration content.
The attack requires local system access and involves modifying the OpenSSL configuration file to reference a malicious DLL that gets loaded during the agent’s startup or system restart process.
The vulnerability affects a broad range of Zabbix versions, including 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1.
The attack vector has specific prerequisites: attackers need existing access to the Windows system with Zabbix Agent installed, and the malicious configuration only takes effect after the Zabbix Agent service restarts or the system reboots.
Security researcher himbeer discovered this vulnerability and reported it through Zabbix’s HackerOne bug bounty program.
The DLL injection technique exploits the trust relationship between the Zabbix Agent service and the OpenSSL library, allowing attackers to execute arbitrary code with the elevated privileges of the agent process.
| Risk Factors | Details |
| Affected Products | – Zabbix Agent for Windows 6.0.0 – 6.0.40- Zabbix Agent for Windows 7.0.0 – 7.0.17- Zabbix Agent2 for Windows 7.2.0 – 7.2.11- Zabbix Agent2 for Windows 7.4.0 – 7.4.1 |
| Impact | Local privilege escalation |
| Exploit Prerequisites | – Local Windows user account- Zabbix Agent or Agent 2 installed- Ability to modify OpenSSL configuration file path- Agent service or system restart to load malicious DLL |
| CVSS 3.1 Score | 7.8 (High) |
Mitigations
Zabbix has released security patches across all affected product lines to address this privilege escalation vulnerability.
The fixed versions include 6.0.41, 7.0.18, 7.2.12, and 7.4.2, which implement proper access controls for OpenSSL configuration file paths and validate configuration content before processing.
System administrators should immediately update their Zabbix Agent installations to the corresponding patched versions.
The company has not provided specific workarounds for this vulnerability, making the security updates the primary mitigation strategy.
Organizations using Zabbix monitoring infrastructure should prioritize these updates, particularly in environments where multiple users have local system access or where the monitoring agents run with elevated privileges.
Given the widespread deployment of Zabbix monitoring solutions in enterprise environments, this security flaw could potentially affect thousands of Windows-based monitoring installations globally.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
