Zabbix Agent 2 smartctl RCE via unsanitized smart.disk.get (<=5.0)
CVE-2025-27234 Published on September 12, 2025
Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0.
Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2025-27234 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2025-27234
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 5.0.0, <= 5.0.46 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.