Bypass Record

DLL Side-Loading × Zabbix Agent for Windows

A publicly-reported instance of DLL Side-Loading bypassing Zabbix Agent for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zabbix Agent for Windows

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

poc

Disclosed

2025-10-03

Config / version noted

Not stated

Provenance

www.sentinelone.com
disclosed 2025-10-03 · original source · via exa
www.packetlabs.net
disclosed 2025-10-24 · original source · via exa
cvefeed.io
disclosed 2025-10-03 · original source · via exa

Reported as

Zabbix Agent on Windows links against OpenSSL, which reads openssl.cnf from a directory writable by standard users.

Mechanism

Zabbix Agent on Windows links against OpenSSL, which reads openssl.cnf from a directory writable by standard users. An attacker modifies this file to include a dynamic_path directive pointing to a malicious DLL. On agent restart, OpenSSL loads the DLL, executing attacker code in the agent's privileged security context.

Detection & mitigation

Monitor for unexpected DLL loads by the Zabbix Agent process (zabbix_agentd.exe) from world-writable directories, especially OpenSSL-related DLLs loaded from non-standard paths. Mitigate by restricting write permissions on the OpenSSL configuration directory and applying the vendor patch to prevent loading of untrusted DLLs.

DLL Side-Loading has also been recorded against

eScan ESET McAfee Microsoft SentinelOne Xcitium

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.