CVE-2024-22116 is a critical arbitrary code execution vulnerability in Zabbix Server. This vulnerability affects versions 6.4.0 to 6.4.15 and 7.0.0alpha1 to 7.0.0rc2. The issue stems from improper control over script parameters in the Ping script execution feature within the Monitoring Hosts section of Zabbix Server. Attackers with restricted administrative privileges can exploit this vulnerability to inject and execute arbitrary code, which can compromise the entire Zabbix infrastructure.
The CVSS score of 9.9 reflects the severe impact on confidentiality, integrity, and availability, as well as the relative ease with which it can be exploited. Organizations using affected versions are strongly urged to upgrade to Zabbix Server 6.4.16rc1 or 7.0.0rc3, as there are no known workarounds.
(see CVE-2024-22116 for details)