Zabbix security flaw affects Windows agents

Cyber Security News reports that Zabbix has patched a high-severity Windows privilege escalation vulnerability, tracked as CVE-2025-27237, in its monitoring agents. The flaw results from improper handling of OpenSSL configuration files, allowing local users to modify file paths and trigger dynamic link library injections to gain elevated privileges. Exploitation requires local access, modification of the OpenSSL configuration file path, and a restart of the Zabbix Agent service or system. Researcher himbeer reported the issue through Zabbix's HackerOne bug bounty program. It affects a wide range of product versions, including Zabbix Agent 6.0.06.0.40 and 7.0.07.0.17 and Agent 2 versions 7.2.07.2.11 and 7.4.07.4.1. Zabbix has released patched versions of 6.0.41, 7.0.18, 7.2.12, and 7.4.2, which introduce stricter access controls and validation of OpenSSL configuration files. The company has urged administrators to upgrade immediately, as no workarounds exist. Organizations using Zabbix monitoring tools, particularly in shared or multi-user Windows environments, should prioritize patching to prevent the potential exploitation of the flaw that could impact thousands of Windows-based monitoring setups.