CVE-2025-27240: 
Zabbix Server vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2025-27240) was discovered in Zabbix Server, affecting versions 6.0.0-6.0.33, 6.4.0-6.4.18, and 7.0.0-7.0.3. The vulnerability allows a Zabbix administrator to inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. The vulnerability was disclosed on September 12, 2025, and was assigned a CVSS 4.0 score of 7.5 (High) (Zabbix Support).

The vulnerability is classified as CWE-89 (SQL Injection) and received a CVSS 4.0 Base Score of 7.5 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue specifically occurs during the autoremoval process of hosts, where the 'Visible name' field is not properly sanitized, allowing for secondary-order SQL injection attacks (NVD Database, Zabbix Support).

If successfully exploited, this vulnerability could allow an attacker with administrator privileges to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access, modification, or deletion of database contents (Zabbix Support).

Organizations are advised to update to the fixed versions: 6.0.34, 6.4.19, or 7.0.4. As a temporary workaround, administrators can disable any Autoregistration actions that remove hosts. The vulnerability has been fixed in the latest releases of affected versions (Zabbix Support, Debian Security).