CVE-2025-27237 - Vulnerability Details - OpenCVE

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://support.zabbix.com/browse/ZBX-27061

History

Fri, 03 Oct 2025 11:45:00 +0000

Type	Values Removed	Values Added
Description		In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.
Title		DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration
Weaknesses		CWE-427
References		https://support.zabbix.com/browse/ZBX-27061
Metrics		cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2025-10-03T11:28:43.076Z

Updated: 2025-10-03T11:28:43.076Z

Reserved: 2025-02-20T11:40:38.480Z

Link: CVE-2025-27237

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-03T12:15:43.930

Modified: 2025-10-03T12:15:43.930

Link: CVE-2025-27237

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27237", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2025-02-20T11:40:38.480Z", "datePublished": "2025-10-03T11:28:43.076Z", "dateUpdated": "2025-10-03T11:28:43.076Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Agent", "Agent2"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "6.0.41", "status": "unaffected"}], "lessThanOrEqual": "6.0.40", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "7.0.18", "status": "unaffected"}], "lessThanOrEqual": "7.0.17", "status": "affected", "version": "7.0.0", "versionType": "git"}, {"changes": [{"at": "7.2.12", "status": "unaffected"}], "lessThanOrEqual": "7.2.11", "status": "affected", "version": "7.2.0", "versionType": "git"}, {"changes": [{"at": "7.4.2", "status": "unaffected"}], "lessThanOrEqual": "7.4.1", "status": "affected", "version": "7.4.0", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A local Windows user with Zabbix Agent installed could modify the OpenSSL configuration file, but this file is only loaded after Zabbix Agent or the system restarts.</p>"}], "value": "A local Windows user with Zabbix Agent installed could modify the OpenSSL configuration file, but this file is only loaded after Zabbix Agent or the system restarts."}], "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank himbeer for submitting this report on the HackerOne bug bounty platform."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.</p>"}], "value": "In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL."}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471: Search Order Hijacking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 7.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2025-10-03T11:28:43.076Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-27061"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update the affected components to their respective fixed versions.</p>"}], "value": "Update the affected components to their respective fixed versions."}], "source": {"discovery": "EXTERNAL"}, "title": "DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}