Zabbix: AT Command Injection Exploit

In Zabbix versions 5.0.0 – 5.0.42, 6.0.0 – 6.0.30, 6.4.0 – 6.4.15, 7.0.0alpha1 – 7.0.0rc2 a medium severity vulnerability CVE-2024-22122 was detected. This vulnerability allows attackers to execute arbitrary AT commands on a modem through specially crafted input in the “Number” field during SMS notification configuration in Zabbix, due to the lack of validation on both the web interface and server side. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, and 7.0.0rc3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22122.