Talos Vulnerability Report


Zabbix Server Config Proxy Request Information Disclosure Vulnerability

April 9, 2018
CVE Number



An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.

Tested Versions

Zabbix Server 2.4.8.r1

Product URLs


CVSSv3 Score

3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N


CWE-200: Information Exposure


If an attacker can send packets to a Zabbix server from the IP address of a configured Zabbix proxy, whether through spoofing, legitimate access, or other means, then an attacker can request the database configuration information for any configured Zabbix proxy, assuming that the hostname of the Zabbix proxy can be guessed or brute-forced.

This database configuration information contains sensitive materials that could be used for further exploitation and discovery purposes.

The following is a subset of the sensitive information disclosed: 1. All configured monitored Zabbix agents and corresponding IP addresses. 2. All items that can be used to query data from the Zabbix agent, including user-configured UserParameters (potentially dangerous). 3. Hostmacros

Example Request (from any valid proxy IP): ZBXD\x01\x30\x00\x00\x00\x00\x00\x00\x00{“request”:”proxy config”,”host”:”zabbix- proxy.abcd.com”}


2017-04-22 - Vendor Disclosure
2018-04-09 - Public Release


Discovered by Lilith Wyatt of Cisco Advanced Security Initiatives Group.