CVE-2025-49641 in Zabbix
Summary
by MITRE • 10/03/2025
A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
This vulnerability represents a critical access control flaw in the Zabbix monitoring platform that undermines the principle of least privilege and role-based access control. The issue allows authenticated users who lack explicit permissions to view active problems through an unexpected API call path, specifically the problem.view.refresh action. This misconfiguration in the permission model enables unauthorized users to bypass intended security boundaries and access sensitive operational data that should remain restricted to authorized personnel with appropriate monitoring permissions.
The technical implementation of this vulnerability stems from improper authorization checks within the Zabbix web interface and API handling mechanisms. When a user attempts to execute the problem.view.refresh action, the system fails to properly validate whether the requesting user possesses the necessary permissions to access problem data. This oversight creates a direct pathway for privilege escalation where users can retrieve information about active system issues, alerts, and operational problems without proper authorization. The vulnerability exists at the application layer and affects the core authentication and authorization framework of Zabbix, which is widely used for IT infrastructure monitoring and event management.
From an operational perspective, this vulnerability poses significant security risks to organizations relying on Zabbix for monitoring critical infrastructure. An attacker or unauthorized user could potentially gather intelligence about system health, identify vulnerable components, and understand the operational landscape of monitored environments. This information could facilitate further attacks, including targeting specific system issues, understanding network topology through problem patterns, or identifying potential service disruptions. The exposure of active problems creates a gold mine of operational intelligence that could be leveraged for both reconnaissance and more sophisticated attack vectors. According to CWE-285, this represents an improper authorization issue that directly violates security policies and can lead to information disclosure and privilege escalation scenarios.
The impact extends beyond simple information disclosure, as it can enable attackers to perform reconnaissance activities that would normally be restricted to privileged users. This vulnerability aligns with ATT&CK technique T1069.003 (Local Network Configuration/Permissions) where adversaries can gather information about network configurations and access controls. Organizations using Zabbix for production monitoring environments face potential exposure of sensitive operational data, including system downtime patterns, security incidents, and infrastructure health status. The vulnerability affects any Zabbix deployment where users have been granted basic access but not full monitoring permissions, creating a scenario where even low-privilege users can access critical operational information.
Mitigation strategies should focus on immediate patch application from Zabbix vendors and comprehensive review of user permissions within the monitoring environment. Organizations must ensure that all users have appropriate role assignments that align with their actual operational needs and that the problem.view.refresh action is properly restricted to authorized users only. Network segmentation and additional monitoring of API calls can help detect unauthorized access attempts. Security teams should implement regular permission audits and consider implementing additional controls such as API rate limiting and enhanced logging of problem view access attempts. The vulnerability demonstrates the critical importance of proper access control implementation and highlights the need for continuous security testing of monitoring platforms that serve as central points of operational visibility in enterprise environments.