Zero-Day Vulnerability Exploited to Hack Over 1,000 Zimbra Mail Servers


A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 corporate email servers, according to incident response firm Volexity.

In July and early August, Volexity was called in to investigate several Zimbra Collaboration Suite breaches. The company’s analysis showed that the attackers most likely exploited CVE-2022-27925, a remote code execution vulnerability in Zimbra that the vendor patched in March 2022.

The problem was that exploiting CVE-2022-27925 requires administrator credentials, which makes mass exploitation less likely. Additionally, there was no evidence that the attackers had successfully obtained the required credentials.

Further analysis showed that it was possible to bypass authentication when accessing the same endpoint used by CVE-2022-27925. The findings were reported to Zimbra, which patched the authentication bypass vulnerability in late July with the release of versions 9.0.0P26 and 8.8.15P33.

Volexity believes CVE-2022-27925 has been exploited in combination with the zero-day flawtracked as CVE-2022-37042, since at least late June 2022. It was first targeted by threat actors focusing on cyber espionage and later by others for attempts to exploit mass.

In many cases, attackers have deployed webshells in an attempt to gain persistent access to Zimbra mail servers.

The cybersecurity company used its knowledge of these webshells to perform internet scans and identify compromised Zimbra instances. More than 1,000 victims have been seen worldwide, but the highest percentage is in the United States and Western Europe. They include global companies with billions of dollars in revenue, as well as government and military organizations.

“At the other end of the scale, the affected organizations also included a significant number of small businesses that were unlikely to have IT staff dedicated to managing their email servers, and perhaps less likely to be in able to effectively detect and remediate an incident,” Volexity said. .

The company noted that the true number of victims is likely over 1,000.

Zimbra appears to have only informed customers on exploiting CVE-2022-37042 and CVE-2022-27925 on August 10. Although CVE-2022-37042 has been patched since March, it was initially only classified as “medium severity” because it required authentication, which may have caused some companies to postpone installing patches. Organizations where patches for CVE-2022-27925 were not installed by the end of May should consider their email servers compromised, Volexity said.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-37042 and CVE-2022-27925 to its Catalog of known exploited vulnerabilities Thursday and asked government agencies to install patches by September 1.

At least five vulnerabilities discovered this year have been used in attacks targeting Zimbra servers, which appear to be increasingly targeted by threat actors.

CISA warned organizations in early August that a recently patched vulnerability allowing an unauthenticated attacker to steal plain-text credentials from a targeted Zimbra instance without any user interaction has been exploited in attacks.

Days later, the agency said a flaw in the UnRAR archive extraction tool had been exploited in the wild, and while multiple products may be affected, the malicious attacks likely targeted Zimbra servers. , which used UnRAR to check archive files attached to emails. for spam and malware.

Related: Vulnerabilities allow hacking of Zimbra webmail servers with a single email

Related: Volexity Warns Against ‘Active Mining’ of Zimbra Zero-Day

Related: Three Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks

views counter

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer science teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:
Key words:


Comments are closed.