RCE in Zabbix
CVE-2025-27234
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.003 (21.0th percentile) — read the EPSS interpretation.
Affected products
- Zabbix — versions 5.0.0