Zimbra Calls for Manual Patching of Actively Exploited Zero-Day Vulnerability

July 13, 2023

Zimbra, the company behind Zimbra Collaboration Suite (ZCS), is asking its customers to manually update their systems due to an actively exploited zero-day vulnerability. ZCS is an open-source platform that provides a range of collaboration tools, including email, calendaring, and file sharing. The vulnerability could potentially impact the confidentiality and integrity of user data.

Zimbra has already addressed the issue and conducted extensive testing to ensure the stability and effectiveness of the system. The company plans to include the fix in the July patch release. The vulnerability is a Cross-Site Scripting (XSS) issue, discovered by Clément Lecigne of Google Threat Analysis Group (TAG).

Google TAG is a group dedicated to identifying and countering advanced and persistent threats. They primarily focus on investigating and mitigating sophisticated cyber threats, including state-sponsored hacking and coordinated attacks by hacking groups. In the past, vulnerabilities reported by Google TAG were often exploited by Advanced Persistent Threat (APT) groups in targeted attacks.

Maddie Stone, a renowned security researcher from Google TAG, confirmed that this particular vulnerability was exploited by an APT group. She thanked Zimbra for publishing the advisory and mitigation advice and urged all Zimbra Collaboration Suite users to manually apply the fix.

While Zimbra plans to deliver the fix in the July patch release, the company is currently advising administrators to manually apply the fix to all mailbox nodes. The company has shared a step-by-step procedure in the advisory for this purpose.

In a previous incident in October, Rapid7 researchers warned about the exploitation of another unpatched zero-day vulnerability, CVE-2022-41352, in the Zimbra Collaboration Suite. Rapid7 published technical details, proof-of-concept (PoC) code, and indicators of compromise (IoCs) regarding CVE-2022-41352 on AttackerKB.

According to Zimbra users, this vulnerability has been actively exploited since early September 2020. The threat actors exploited the issue to upload jsp files into the Web Client /public directory by simply sending an email with a malicious attachment.

In August 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that threat actors were exploiting a Zimbra flaw, CVE-2022-27925, to hack Zimbra Collaboration Suite email servers worldwide.

Latest News

• BlackLotus UEFI Malware Source Code Leaked on GitHub
• Critical Vulnerabilities Discovered in Honeywell Industrial Control Systems
• Critical Security Flaws Patched in SonicWall's GMS and Analytics Products
• APT Group Targets Rockwell Automation Flaws, Poses Threat to Critical Infrastructure
• Apple Rectifies and Re-Releases Security Update Following WebKit Zero-Day Vulnerability