CVE-2025-27233: 
Zabbix Server vulnerability analysis and mitigation

A command injection vulnerability was discovered in Zabbix Agent 2's smartctl plugin (CVE-2025-27233). The vulnerability affects versions 6.0.0 through 6.0.39, 7.0.0 through 7.0.10, and 7.2.0 through 7.2.4, where the smart.disk.get parameters are not properly sanitized. This security flaw was disclosed on September 12, 2025, and allows attackers to inject unexpected arguments into the smartctl command (Zabbix Issue, NVD Entry).

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) and has received a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The technical issue stems from insufficient parameter sanitization in the smartctl plugin's smart.disk.get functionality, which can be exploited through parameter manipulation (NVD Entry).

The primary impact of this vulnerability is the potential to leak NTLMv2 hash from affected Windows systems. This could potentially lead to unauthorized access if the leaked credentials are successfully cracked (Zabbix Issue).

Fixed versions have been released: 6.0.40, 7.0.11, and 7.2.5. For systems that cannot be immediately updated, workarounds include removing smartctl or implementing strict item key parameter validation with AllowKey/DenyKey. Debian has also released security updates for affected packages (Zabbix Issue, Debian Tracker).

The vulnerability was responsibly disclosed through the HackerOne bug bounty platform by security researcher kelsier, demonstrating Zabbix's commitment to collaborative security improvement (Zabbix Issue).