On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported the addition of two critical vulnerabilities to its Known Exploited Vulnerabilities Catalog, both linked to severe weaknesses within Zimbra Collaboration software. These flaws have shown substantial evidence of active exploitation, posing significant risks to affected email servers.
The vulnerabilities are particularly severe, allowing for unauthenticated remote code execution. The first, CVE-2022-27925 (CVSS score: 7.2), permits an attacker to execute arbitrary code by exploiting the mboximport feature from an authenticated user, a flaw that has been addressed in patches released in March for versions 8.8.15 Patch 31 and 9.0.0 Patch 24. The second vulnerability, identified as CVE-2022-37042, allows an authentication bypass in the MailboxImportServlet, with fixes available in versions 8.8.15 Patch 33 and 9.0.0 Patch 26, released in August.
Zimbra issued a warning urging organizations to upgrade to the latest patches if they are utilizing versions prior to 8.8.15 Patch 33 or 9.0.0 Patch 26. While CISA has not disclosed specific details regarding ongoing attacks that exploit these vulnerabilities, cybersecurity firm Volexity reported instances of mass exploitation targeting Zimbra by unidentified actors. This exploitation involves leveraging the authentication bypass flaw to achieve remote code execution on affected servers through arbitrary file uploads.
Volexity’s analysis indicated that it was feasible to bypass authentication by targeting the same endpoint (mboximport) associated with CVE-2022-27925. This lack of necessary credentials significantly raises the severity of the vulnerability. Over 1,000 instances globally have been compromised due to these exploitations, including those belonging to government entities and corporations with extensive revenue bases.
As recent as June 2022, the attacks have included deploying web shells to ensure persistent access to the compromised systems. Prominent countries affected include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland. Volexity elaborated that although CVE-2022-27925 was previously classified as requiring authentication for remote code execution, when coupled with the authentication bypass vulnerability, it transforms into a considerably easier target for exploitation.
Weeks before this revelation, CISA had noted another Zimbra-related vulnerability, CVE-2022-27924, which could allow attackers to extract cleartext credentials from users of the affected systems if leveraged successfully.
