PatchSiren cyber security CVE debrief

CVE-2016-10134 Zabbix CVE debrief

CVE-2016-10134 is a critical SQL injection vulnerability in Zabbix. According to NVD, the flaw affects Zabbix before 2.2.14 and 3.0 before 3.0.4, and can let a remote attacker execute arbitrary SQL commands through the toggle_ids array parameter in latest.php. The CVSS vector is network-based, requires no privileges or user interaction, and is rated 9.8 (Critical).

Vendor: Zabbix
Product: CVE-2016-10134
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Zabbix administrators, security teams, and operators running affected 2.2.x or 3.0.x releases should treat this as high priority, especially if the web interface is reachable from untrusted networks. Asset owners using Zabbix for monitoring or operational visibility should verify their deployed version and update status.

Technical summary

NVD classifies the weakness as CWE-89 (SQL Injection). The vulnerable attack surface is latest.php, where the toggle_ids array parameter can be abused to inject SQL. NVD’s affected-version data lists Zabbix versions up to 2.2.13 and 3.0.0 through 3.0.3 as vulnerable. The issue is remotely reachable (AV:N), low-complexity (AC:L), and does not require authentication or user interaction (PR:N/UI:N), aligning with the CVSS 3.0 base score of 9.8.

Defensive priority

Immediate. This is a remotely exploitable SQL injection with full confidentiality, integrity, and availability impact in affected versions, so remediation should be prioritized ahead of routine maintenance.

Recommended defensive actions

Upgrade Zabbix to a fixed release: at minimum 2.2.14 for the 2.2 line or 3.0.4 for the 3.0 line.
If immediate upgrade is not possible, reduce exposure of the Zabbix web interface to trusted administrative networks only until remediation is complete.
Review the vendor advisory/reference linked as ZBX-11023 and any applicable distribution advisories for your platform to confirm the correct fixed package/version.
Inventory all Zabbix deployments to ensure no affected 2.2.x or 3.0.x instances remain in service.
After updating, validate that the web frontend is running the patched version and confirm no unauthorized database changes occurred during the exposure window.

Evidence notes

Primary evidence comes from the NVD CVE entry, which provides the vulnerability description, CVSS vector, CWE-89 classification, and affected version ranges. The source corpus also includes a Zabbix vendor/support reference (ZBX-11023) tagged as exploit/patch/vendor advisory, plus Debian and OSS-security references that corroborate public disclosure and remediation context. No exploit details beyond the published description are included here.

Official resources

CVE-2016-10134 CVE record
CVE.org
CVE-2016-10134 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory

Publicly disclosed on 2017-02-17 per the supplied CVE published date. The supplied timeline also shows a later NVD modification on 2026-05-13; that is metadata update timing, not the original disclosure date.