Zimbra RCE Exploited in Wild
An authentication bypass affecting Zimbra Collaboration Suite, tracked as CVE-2022-27925, is actively exploited to hack ZCS email servers worldwide.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Also it orders federal agencies to fix both issues by August 25, 2022.
- CVE-2022-27925 – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
- CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
The vendor has already released security updates to address both vulnerabilities.
Since last month, researchers discovered that threat actors have exploited the CVE-2022-27925 RCE vulnerability in these attacks.
The flaw was patched in March 2022, since the release of security fixes, it was reasonable that threat actors performed reverse engineering of them and developed an exploit code.
Researchers found signs of remote exploitation but no evidence the attackers had the prerequisite authenticated administrative sessions needed to exploit it. The remote attackers would have been able to obtain administrative credentials on the victims’ ZCS email servers.
In-depth research has determined it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925. This meant that CVE-2022-27925 could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.
Researchers scanned the Internet for compromised Zimbra instances and over 1,000 ZCS instances around the world that were backdoored and compromised. The compromised ZCS installs belongs to a variety of global organizations, including government departments and ministries, military branches, worldwide billionaire businesses, and a significant number of small businesses.
The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.
this research was documented by researchers from Volexity firm