Zimbra Auth Security Flaw

There is an authentication bypass security vulnerability in Zimbra which is actively exploited by cybercriminals in order to compromise ZCS email servers around the world.

A wide range of businesses, including government and financial organizations, use Zimbra as an email and collaboration platform.

More than 200,000 businesses are using Zimbra’s email and collaboration platform today across 140 countries. Among them, there are more than 1,000 organizations in the financial and government sectors.

Flaw Profile

It has been reported by threat intelligence firm Volexity that attackers have been exploiting the CVE-2022-27925 vulnerability in ZCS, and it’s a remote code execution vulnerability (RCE).

Attackers can gain persistent access to the compromised servers after successful exploitation of this vulnerability by deploying web shells in specific locations.

  • CVE ID: CVE-2022-27925
  • Description: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
  • Base Score: 7.2
  • Severity: HIGH
  • NVD Published Date: 04/20/2022
  • NVD Last Modified: 05/03/2022

In a recent advisory published by Zimbra, no mention was made of the fact that these vulnerabilities were actively exploited in the wild. 

Apparently, the company’s employee posted on its forum that patches are abused in attacks and that they should be applied immediately.

If you are running an older version of Zimbra, that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26, then immediately update to the latest version.

Compromised Over 1,000 Servers

When Volexity discovered evidence of hacked Zimbra email servers exposed to the Internet during multiple incident responses, it scanned for instances of hacked servers utilizing the CVE-2022-27925 RCE and CVE-2022-37042 authentication bypass flaw.

More than 1,000 ZCS instances were backdoored and compromised, as identified by the cybersecurity analysts at Volexity via these scans.

It is important to take into account the possibility that your ZCS instance may be compromised if vulnerable servers are not patched against CVE-2022-27925 before May 2022.

This scan is based primarily on shell paths known to Volexity, therefore if this is the only list of compromised servers, it is likely that there is a higher number of compromised servers than this listing.

At the time of its listing, CVE-2022-27925 was classified as an RCE exploit that required authentication to be executed. 

Combining this vulnerability with a separate bug would result in remote exploitation exploit that would be unauthenticated and make it easy for someone to exploit it remotely.

Sponsored: Your SWG Battle Plan: 3 Steps to Achieve Web Security
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.