April 1, 2023

An unpatched code execution vulnerability in the Zimbra Collaboration software is under active exploitation by attackers using the attacks to backdoor servers.

The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company’s Amavis spam-filtering engine processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it.

The attackers had installed a web shell, which they could then use to log into and take control of the server


Zimbra has yet to release a patch fixing the vulnerability. Instead, the company published this guidance that advises customers to ensure a file archiver known as pax is installed. Unless pax is installed, Amavis processes incoming attachments with cpio, an alternate archiver that has known vulnerabilities that were never fixed.

The utility comes loaded by default on Ubuntu distributions of Linux, but must be manually installed on most other distributions. The Zimbra vulnerability is tracked as CVE-2022-41352.

Researchers said CVE-2022-41352 is effectively identical to CVE-2022-30333, another Zimbra vulnerability that came under active exploit two months ago. Whereas CVE-2022-41352 exploits use files based on the cpio and tar compression formats, the older attacks leveraged tar files.

The only option to mitigate the vulnerability is to install pax and then restart Zimbra.

Leave a Reply

%d bloggers like this: