Zabbix Agent CVE-2025-27237: OpenSSL Privilege Escalation


A security vulnerability has been identified in Zabbix Agent and Agent2 for Windows, potentially allowing local users to escalate their privileges to the SYSTEM level. Tracked as CVE-2025-27237, the flaw originates from the way these agents handle the OpenSSL configuration file on Windows systems. 

Zabbix, a widely-used open-source network monitoring platform, deploys its agents with elevated privileges to collect system-level performance data. However, in certain versions of its Windows agents, the OpenSSL configuration file is loaded from a file path that can be modified by users without administrative permissions. This misconfiguration opens the door to local privilege escalation attacks. 

Technical Overview of CVE-2025-27237 

According to the official security advisory, versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1 of Zabbix Agent and Agent2 for Windows are affected by this flaw. In these versions, the agent loads the OpenSSL configuration from a directory where low-privileged users can write or alter files. By tampering with this file, a malicious user could inject a malicious DLL, which gets executed the next time the Zabbix service or system is restarted. 

When successfully exploited, the malicious code executes with SYSTEM privileges, effectively granting the attacker full control over the machine. 

The issue, categorized under CVE-2025-27237, has been assigned a CVSS 4.0 score of 7.3, reflecting a high severity level. The scoring vector provided is: 

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
 

Discovery and Response 

The vulnerability was responsibly disclosed by security researcher himbeer. The Zabbix Support Team acknowledged the issue under internal reference ZBX-27061 and confirmed the vulnerability as a security defect. The resolution was classified as major and has been marked as fixed in subsequent updates. 

The affected component, specifically tied to the OpenSSL configuration file handling, was reported under the Zabbix internal project “ZABBIX BUGS AND ISSUES.” 

Patched Versions and Mitigation 

Zabbix users running affected versions on Windows are strongly encouraged to upgrade to the fixed releases immediately. The patched versions that address CVE-2025-27237 are: 

  • 6.0.41 
  • 7.0.18 
  • 7.2.12 
  • 7.4.2 

These updates correct the insecure file path behavior, ensuring that the OpenSSL configuration can no longer be modified by low-privilege users. After applying the update, it is crucial to restart the Zabbix Agent or Agent2 service to complete the remediation process. 

Currently, no known workarounds exist for this vulnerability aside from applying the official patch. 

Implications 

While the flaw requires local access to exploit, its impact is considerable. By executing malicious code with SYSTEM-level privileges, an attacker could bypass user-level restrictions, install software, access sensitive data, and potentially use the compromised machine as a launchpad for lateral movement within a network. 

Given Zabbix’s popularity in enterprise and infrastructure monitoring, systems relying on Windows-based agents are especially urged to take swift action. The widespread deployment of these agents with elevated privileges makes them high-value targets in environments where strict privilege separation is critical. 

The vulnerability in Zabbix Agent and Agent2 for Windows stresses the importance of regularly auditing software configurations—especially when external dependencies like OpenSSL are involved. 

Administrators should review their systems for affected versions, apply the latest patches without delay, and follow best practices to prevent unauthorized file access and modification. 

For full technical details, affected version breakdowns, and update instructions, refer to the official Zabbix security advisory. 



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.