A critical security flaw in Zabbix Agent and Agent2 for Windows has been identified that permits a local attacker to escalate privileges to the SYSTEM level.
Tracked as CVE-2025-27237, the issue arises from the way the agent loads its OpenSSL configuration file during service startup. Zabbix, a widely adopted open-source monitoring solution, relies on elevated permissions on Windows hosts to gather in-depth system metrics.
In affected versions, the OpenSSL configuration file is stored in a directory where non-administrative users have write access.
By replacing or modifying this file to reference a malicious DLL, an attacker can force the agent to load and execute arbitrary code as the SYSTEM user upon service restart.
Technical Details
In Zabbix Agent and Agent2 versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1, the OpenSSL configuration path resides in a location with insufficient access controls.
When the service initiates, it reads the configuration file to establish secure communications.
An adversary with any level of local access can modify this file to include directives that load a crafted DLL.
Upon service restart triggered either manually or during host reboot, the agent processes the malicious configuration, resulting in arbitrary code execution at SYSTEM privileges and complete host takeover.
| CVE ID | Affected Versions | Impact | Exploit Prerequisites | CVSS 4.0 Score Vector |
|---|---|---|---|---|
| CVE-2025-27237 | 6.0.0 – 6.0.40 7.0.0 – 7.0.17 7.2.0 – 7.2.11 7.4.0 – 7.4.1 | Local privilege escalation | Local user access to Windows host | 7.3 (High) |
The flaw was responsibly disclosed by researcher himbeer through the HackerOne bug bounty program and promptly confirmed by the Zabbix Support Team via ticket ZBX-27061.
To remediate this vulnerability, administrators must upgrade to one of the patched releases: 6.0.41, 7.0.18, 7.2.12, or 7.4.2.
The updates secure the OpenSSL configuration path by moving the file to a directory exclusively writable by administrators, thereby eliminating unauthorized modifications.
After performing the upgrade, restart the Zabbix Agent or Agent2 service to ensure the new configuration path is enforced.
No alternative mitigations or workarounds are available; installing the patch is the only effective defense.
Organizations using Zabbix to monitor Windows environments should treat this vulnerability as a top priority.
Failure to apply the update exposes critical systems to full compromise by any local user account.
By upgrading immediately and enforcing strict file permission policies, security teams can prevent attackers from exploiting CVE-2025-27237 to gain complete control over monitored hosts.
Continuous monitoring and adherence to best practices for service account permissions will further reduce the risk of similar issues in future releases.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=A critical security flaw in Zabbix Agent and Agent2 for Windows has been identified that permits a local attacker to escalate privileges to the SYSTEM level.){kind=link}