Maksim Tiukov

**Name of the Vulnerable Software and Affected Versions** Zabbix versions 5.0.0 through 7.0.0rc2 **Description** The issue is related to the configuration of SMS notifications in Zabbix, where an AT command injection occurs due to the lack of validation of the `Number` field. This allows an attacker to execute additional AT commands on the modem by providing a specially crafted phone number during an SMS test. The exploitation of this issue may enable a remote attacker to execute additional AT commands on the modem. **Recommendations** For Zabbix versions 5.0.0 through 7.0.0rc2, update to the latest version to prevent remote attacks. As a temporary workaround, consider restricting access to the SMS notification feature until a patch is available. Avoid using the `Number` field in the SMS notification configuration until the issue is resolved.