CVE-2024-22122 LOW

CVE-2024-22122: AT(GSM) Command Injection

Vendor Zabbix
Product Zabbix
Weakness CWE-77
Published August 9, 2024
Last update November 3, 2025

CVSS base score

3.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

Key dates

02Disclosure timeline

August 9, 2024 CVE published
November 3, 2025 Record updated