Headline
Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers -
CVE-2022-27925 (CVSS score: 7.2)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers -
- CVE-2022-27925 (CVSS score: 7.2) - Remote code execution (RCE) through mboximport from authenticated user (fixed in versions 8.8.15 Patch 31 and 9.0.0 Patch 24 released in March)
- CVE-2022-37042 - Authentication bypass in MailboxImportServlet (fixed in versions 8.8.15 Patch 33 and 9.0.0 Patch 26 released in August)
“If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible,” Zimbra warned earlier this week.
CISA has not shared any information on the attacks exploiting the flaws but cybersecurity firm Volexity described mass in-the-wild exploitation of Zimbra instances by an unknown threat actor.
In a nutshell, the attacks involve taking advantage of the aforementioned authentication bypass flaw to gain remote code execution on the underlying server by uploading arbitrary files.
Volexity said “it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925,” and that the flaw “could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.”
It also singled out over 1,000 instances globally that were backdoored and compromised using this attack vector, some of which belong to government departments and ministries; military branches; and companies with billions of dollars of revenue.
The attacks, which transpired as recently as the end of June 2022, also involved the deployment of web shells to maintain long-term access to the infected servers. Top countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.
“CVE-2022-27925 was originally listed as an RCE exploit requiring authentication,” Volexity said. “When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial.”
The disclosure comes a week after CISA added another Zimbra-related bug, CVE-2022-27924, to the catalog, which, if exploited, could allow attackers to steal cleartext credentials from users of the targeted instances.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization
Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.
This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
Categories: Exploits and vulnerabilities Categories: News Tags: Zimbra Tags: ZVS Tags: cve-2022-27925 Tags: web shell Tags: cve-2022-37042 Tags: authentication Tags: RCE Researchers found that a known RCE vulnerability in Zimbra Collaboration was chained with a new authentication vulnerability to drop backdoor web shells on thousands of servers (Read more...) The post Thousands of Zimbra mail servers backdoored in large scale attack appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
Attackers could also potentially gain access to various internal services, researcher warns
A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. "With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal