Zabbix has disclosed a critical SQL injection vulnerability (CVE-2024-42327, CVSS 9.9) in its open-source enterprise network monitoring tool, affecting versions 6.0.0–6.0.31, 6.4.0–6.4.16, and 7.0.0, allowing attackers with API access to escalate privileges and compromise systems. Exploitation risks include full control of Zabbix servers, with over 83,000 exposed online. Patched versions (6.0.32rc1, 6.4.17rc1, and 7.0.1rc1), released in July, also address CVE-2024-36466 (authentication bypass) and CVE-2024-36462 (DoS vulnerability). While no exploitation in the wild has been reported, users in various industries are urged to update immediately.

‍