CVE-2025-49641: 
Zabbix Server vulnerability analysis and mitigation

A vulnerability in Zabbix (CVE-2025-49641) was discovered where a regular user without permission to access the Monitoring -> Problems view could still retrieve a list of active problems through the problem.view.refresh action. The vulnerability was disclosed on October 3, 2025, affecting multiple versions of Zabbix including 6.0.0-6.0.40, 7.0.0-7.0.17, 7.2.0-7.2.11, and 7.4.0-7.4.1 (Zabbix Support).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v4.0 score of 5.1 (Medium). The CVSS vector string is CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating that the vulnerability requires adjacent network access, low attack complexity, and low privileges to exploit (NVD).

The vulnerability allows unauthorized access to problem monitoring data, potentially exposing sensitive system information to users who should not have access to it. While the confidentiality impact is rated as Low, this could still represent a security concern for organizations using Zabbix for monitoring (Zabbix Support).

The vulnerability has been fixed in Zabbix versions 6.0.41, 7.0.18, 7.2.12, and 7.4.2. Organizations are advised to update their Zabbix installations to these fixed versions. No specific workarounds have been provided for systems that cannot be immediately updated (Zabbix Support).

The vulnerability was responsibly disclosed by Y. Kahveci to Zabbix, who acknowledged the researcher's contribution in finding and reporting this security issue (Zabbix Support).