Local Privilege Escalation in Zabbix Agent and Agent 2 on Windows via writable OpenSSL configuration path
CVE-2025-27237 is a local privilege escalation vulnerability affecting Zabbix Agent and Zabbix Agent 2 on Windows. According to the provided content, the issue arises because the OpenSSL configuration file is loaded from a path that is writable by low-privileged users. This insecure search/load behavior allows a local attacker to maliciously modify the OpenSSL configuration and leverage it to inject a DLL. In the affected Windows deployment context, this can result in execution of attacker-controlled code in the security context of the Zabbix agent service, potentially elevating privileges to SYSTEM.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository is a PoC and analysis package for CVE-2025-27237 (Zabbix Agent/Agent2 for Windows local privilege escalation via OpenSSL configuration file hijacking / uncontrolled search path element). Structure & purpose: - CVE-2025-27237-analysis.md: technical write-up explaining that Zabbix Agent binaries embed hardcoded OpenSSL directories (OPENSSLDIR/ENGINESDIR/MODULESDIR). OPENSSLDIR points to a path under C:\vcpkg\... that a low-privileged user can create/populate, enabling hijack of openssl.cnf. - CVE-2025-27237-PoC.md: step-by-step exploitation guide: create the hardcoded directory tree, drop a malicious openssl.cnf that loads a provider module (DLL), place the DLL, then trigger by restarting/starting the agent. - extract_openssl_paths.py: helper tool to analyze Zabbix binaries locally using `strings` and optionally `radare2` to extract OPENSSLDIR/ENGINESDIR/MODULESDIR and OpenSSL version; also checks for relevant OpenSSL symbols (e.g., CONF_modules_load, ENGINE_by_id, dynamic_path) and outputs JSON. - poc.c / poc2.c / poc3.c: Windows DLL payload examples implementing DllMain and exporting OSSL_provider_init (required for OpenSSL provider loading). Payload actions are benign PoC indicators: MessageBox popup and/or writing C:\EXPLOITED.txt. Exploit capability: - Local attacker plants an OpenSSL configuration file at the hardcoded OPENSSLDIR (not under Program Files) and uses the OpenSSL provider mechanism to load an arbitrary DLL. When Zabbix Agent runs as a Windows service (commonly SYSTEM) and initializes TLS/OpenSSL, it parses the attacker-controlled openssl.cnf and loads the DLL, yielding code execution as the service account (privilege escalation). No network exploitation is implemented; triggering is via local filesystem manipulation plus service restart/agent start with TLS enabled.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unknown (content is paywalled; only tags indicate a privilege escalation to SYSTEM involving Zabbix/Zabbix Agent and possibly OpenSSL).
A vulnerability in Zabbix Agent, listed as a trending CVE for the week. No further details provided.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.