SARA / Free Tools / KEV / CVE-2022-23131

CVE-2022-23131 on CISA KEV

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and g

CISA KEV — Actively Exploited

Zabbix Frontend Authentication Bypass Vulnerability

Vendor / Product
— / Zabbix / Frontend
Added to KEV
2022-02-22
BOD 22-01 due
2022-03-08
Ransomware use
Unknown
CVSS / EPSS
9.1 CRITICAL · EPSS 94.25%

01What CISA says about this vulnerability

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor…

02Required action — verbatim from CISA

Apply updates per vendor instructions.

03Notes & references

04SARA's analyst layer — why this matters

This vulnerability is currently on the CISA KEV list, which CISA only adds CVEs to when there is reliable evidence of active exploitation in the wild. For federal civilian agencies, BOD 22-01 requires remediation by the due date above. For everyone else, KEV is the strongest "patch immediately" signal you can get from public threat intel.

05Affected products (summary)

VendorProductVersions
ZabbixFrontend5.4.0 - 5.4.8, 5.4.9

06Detection

Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection:

Open in Sigma generator →

Programmatic KEV data?
SARA's API returns KEV, CVSS, EPSS + analyst summary in one call.
Read the API reference →
Full CVE detail → Search KEV →