CISA: Threat actors exploiting multiple Zimbra flaws

Multiple flaws in Zimbra Collaboration Suite are being exploited in the wild by threat actors, according to a Cybersecurity and Infrastructure Security Agency advisory released Tuesday.

Zimbra Collaboration Suite (ZCS) is an enterprise cloud collaboration and email platform originally released in 2005 and currently sold by Synacor. The joint advisory by CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) reported that five vulnerabilities tied to the platform are being actively exploited and "may be targeting unpatched ZCS instances in both government and private sector networks."

CVE-2022-27924 is a high-severity bug that enables a malicious actor to inject arbitrary memcache commands into a targeted instance of ZCS. The threat actor can use this access to obtain cleartext credentials for ZCS email accounts without any user interaction required.

CVE-2022-27925 is a high-severity directory traversal vulnerability that is capable of remote code execution and can be chained with CVE-2022-37042, an authentication bypass flaw; CVE-2022-24682 is a medium-severity cross-site scripting vulnerability; and CVE-2022-30333 is a high-severity directory traversal vulnerability concerning compressed file extractor UnRAR, which was used in Zimbra Collaboration Suite until it was replaced by 7-Zip.

CVE-2022-27925 in particular was covered by threat detection and response vendor Volexity in an Aug. 10 blog post. Through a series of internet-wide scans, the vendor found more than 1,000 backdoored and compromised ZCS instances.

"These ZCS instances belong to a variety of global organizations, including government departments and ministries; military branches; worldwide businesses with billions of dollars of revenue; etc.," the blog post read. "At the other end of the scale, the affected organizations also included a significant number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and perhaps less likely to be able to effectively detect and remediate an incident."

Volexity noted that the original description for the bug was that it was medium-severity and required authentication. When chained with CVE-2022-37042, however, authentication could be bypassed.

"Some organizations may prioritize patching based on the severity of security issues," the post read. "In this case, the vulnerability was listed as medium -- not high or critical -- which may have led some organizations to postpone patching."

The authentication bypass flaw was patched by Zimbra in late July, but the initial patch for CVE-2022-27925 had been out for months. At Black Hat 2022 earlier this month, Trend Micro's Zero Day Initiative announced it was changing vulnerability disclosure timelines for incomplete patches.

The flaws themselves aren't new; all five had been disclosed in some context earlier this year. All but one of the flaws, however, were added to CISA's Known Exploited Vulnerabilities Catalog this month (CVE-2022-24682 was added in February).

All of the vulnerabilities referenced in the advisory have received official mitigations and patches, and CISA recommends customers upgrade their ZCS instances to the latest versions.

Neither CISA nor Synacor have responded to TechTarget Security's request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.