CVE-2025-27237 PUBLISHED

DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration

Assigner: Zabbix
Reserved: 20.02.2025 Published: 03.10.2025 Updated: 26.02.2026

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Zabbix
Product	Zabbix
Versions	Default: unknown affected from 6.0.0 to 6.0.40 (incl.) affected from 7.0.0 to 7.0.17 (incl.) affected from 7.2.0 to 7.2.11 (incl.) affected from 7.4.0 to 7.4.1 (incl.)

Affected Configurations

A local Windows user with Zabbix Agent installed could modify the OpenSSL configuration file, but this file is only loaded after Zabbix Agent or the system restarts.

Solutions

Update the affected components to their respective fixed versions.

Credits

Zabbix wants to thank himbeer for submitting this report on the HackerOne bug bounty platform. reporter

References

https://support.zabbix.com/browse/ZBX-27061

Problem Types

CWE-427: Uncontrolled Search Path Element CWE

Impacts

CAPEC-471: Search Order Hijacking