A user with access to Zabbix Agent 2 can inject an Oracle TNS connection string through the 'service' parameter, causing the agent to connect to an attacker‑controlled server and potentially leak Oracle database credentials that are stored in a named session. The vulnerability, classified as CWE‑522 (improper restriction of credentials use), can lead to credential disclosure and a compromise of the underlying database. The CVSS score of 5.1 reflects moderate severity, but the impact could be serious if credentials are exposed.

The flaw affects Zabbix Agent 2 installations that use the Oracle monitoring plugin. The vendor did not publish specific affected component versions, so any Agent 2 build prior to the patch that accepts the vulnerable 'service' parameter is susceptible. Named Oracle sessions configured in the agent's configuration files are the typical vectors for credential storage.

The vulnerability is not listed in the CISA KEV catalog and its EPSS score is unavailable, indicating that known exploitation activity is not documented. Attackers would need the ability to instruct Agent 2 to use a malicious service string, which generally requires permission to modify agent configuration or to submit monitoring data. Therefore, the risk is largely confined to environments where the attacker holds configuration or monitoring privileges for the agent. If such privileges exist, the attacker could redirect the agent to a malicious server and exfiltrate stored credentials.