Zimbra Addresses Zero-Day Vulnerability Exploited in XSS Attacks

July 27, 2023

Zimbra has rolled out security patches to address a zero-day vulnerability that was being exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. The vulnerability, now identified as CVE-2023-38750, is a reflected Cross-Site Scripting (XSS) which was found by Clément Lecigne from the Google Threat Analysis Group. XSS attacks are a significant threat as they allow malicious actors to steal sensitive data or run harmful code on susceptible systems.

Although Zimbra did not initially reveal that the zero-day was being exploited when it first announced the vulnerability and encouraged users to manually fix it, Maddie Stone from Google TAG disclosed that the vulnerability was found while being exploited in a targeted attack. Zimbra had advised administrators to manually mitigate the security bug.

Two weeks after the initial advisory was published, Zimbra released ZCS 10.0.2, a version that also addresses the CVE-2023-38750 bug, which could potentially expose internal JSP and XML files. Another reflected XSS bug in Zimbra was exploited since February 2023 by the Winter Vivern Russian hacking group to infiltrate webmail portals of governments aligned with NATO and steal the emails of government officials, military personnel, and diplomats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to U.S. federal agencies to secure their systems against attacks exploiting CVE-2023-38750. The agency has added this vulnerability to its Known Exploited Vulnerabilities catalog, which requires Federal Civilian Executive Branch Agencies (FCEB) to patch vulnerable ZCS email servers on their networks in line with the binding operational directive (BOD 22-01) issued in November 2021. CISA has set a deadline of August 17th for compliance, instructing them to mitigate the flaw on all unpatched devices.

While the catalog is primarily for U.S. federal agencies, private companies are also strongly recommended to prioritize and implement patches for all vulnerabilities listed in CISA's catalog of exploited bugs. CISA warned today, 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.'

This Tuesday, CISA also instructed U.S. federal agencies to address an auth bypass bug in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, which was utilized as a zero-day to hack a software platform used by 12 Norwegian ministries.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.