CVE-2024-22122

Published: Aug 9, 2024

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

3.0

LOW

Description

Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

Vendor	Product	Versions
Zabbix	Zabbix	affected `5.0.0 - <= 5.0.42` affected `6.0.0 - <= 6.0.30` affected `6.4.0 - <= 6.4.15` affected `7.0.0alpha1 - <= 7.0.0rc2`

Weaknesses (CWE)

CWE-77

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

References

https://support.zabbix.com/browse/ZBX-25012

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-22122

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References