SB2025100639 - Multiple vulnerabilities in Zabbix
Published: October 6, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2025-27231)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a logic error when updating LDAP configuration. A remote authenticated administrator can change the 'Host' field of the LDAP server to an arbitrary value and recover the previously saved password for the previous connection.
2) Improper access control (CVE-ID: CVE-2025-49641)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions for the problem.view.refresh action. A remote user with no permission to the "Monitoring -> Problems" view can call the problem.view.refresh action and therefore still retrieve a list of active problems.
Remediation
Install update from vendor's website.