Detections
Analytics

Zabbix 6.0.x < 6.0.42 / 7.0.x < 7.0.19 / 7.2.x < 7.2.13 / 7.4.x < 7.4.3 DoS (ZBX-27284)

medium Nessus Plugin ID 304680

Language:

Synopsis

A monitoring application installed on the remote host is affected by a denial of service vulnerability.

Description

The version of Zabbix Server installed on the remote host is affected by a vulnerability. An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Zabbix version 6.0.42, 7.0.19, 7.2.13, 7.4.3 or later.

See Also

https://support.zabbix.com/browse/ZBX-27284

Plugin Details

Severity: Medium

ID: 304680

File Name: zabbix_ZBX-27284.nasl

Version: 1.2

Type: Local

Family: Misc.

Published: 4/2/2026

Updated: 4/6/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2025-49643

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6

Threat Score: 2.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:zabbix:zabbix_server

Required KB Items: installed_sw/Zabbix Server

Exploit Ease: No known exploits are available

Patch Publication Date: 12/1/2025

Vulnerability Publication Date: 12/1/2025

Reference Information

CVE: CVE-2025-49643