Zabbix has warned of a critical-severity vulnerability in its open source enterprise networking monitoring solution that could allow attackers to inject arbitrary SQL queries and compromise data or the system.

Tracked as CVE-2024-42327 (CVSS score of 9.9), the security defect exists in a function that is available to any user with a role that has API access, Zabbix warned.

“A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability,” the company notes in its advisory.

“An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access,” it continues.

The vulnerability was also analyzed by Qualys, which noted that exploitation could allow attackers to escalate privileges and gain complete control of vulnerable Zabbix servers. The cybersecurity firm has seen over 83,000 internet-exposed Zabbix servers.

The flaw, the vendor announced, affects Zabbix versions 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0.

Although an advisory on CVE-2024-42327 was published only last week, patches for the issue were included in versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1, which were released in July.

The patched iterations also resolve CVE-2024-36466 (CVSS score of 8.8), an authentication bypass issue that could allow an attacker to sign a forged zbx_session cookie and log in with administrator permissions.

Zabbix version 7.0.1rc1 also fixes CVE-2024-36462, an uncontrolled resource consumption vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition.

The company makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their installations to a patched version as soon as possible.

According to Zabbix, its monitoring solution is used by organizations in the education, finance, food, healthcare, IT, manufacturing, and retail sectors around the world.

Related: Ivanti Patches 50 Vulnerabilities Across Several Products

Related: High-Severity Vulnerabilities Patched in Zoom, Chrome

Related: Serious Vulnerabilities Patched in OpenCV Computer Vision Library

Related: How to Fix a Dysfunctional Security Culture