An authentication bypass affecting Zimbra Collaboration Suite, tracked as CVE-2022-27925, is actively exploited to hack ZCS email servers worldwide.
Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries.
Yesterday, August 11, CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The two issues are:
CISA orders federal agencies to fix both issues by August 25, 2022.
The vendor has already released security updates to address both vulnerabilities.
Cybersecurity firm Volexity described confirmed that the flaw is actively exploited in attacks in the wild.
In July and early August 2022, the company worked on multiple incidents where the organizations had their Zimbra Collaboration Suite (ZCS) email servers compromised. Volexity discovered that threat actors have exploited the CVE-2022-27925 remote-code-execution (RCE) vulnerability in these attacks.
The flaw was patched in March 2022, since the release of security fixes, it was reasonable that threat actors performed reverse engineering of them and developed an exploit code.
“As each investigation progressed, Volexity found signs of remote exploitation but no evidence the attackers had the prerequisite authenticated administrative sessions needed to exploit it. Further, in most cases, Volexity believed it extremely unlikely the remote attackers would have been able to obtain administrative credentials on the victims’ ZCS email servers.” reads the advisory published by Volexity.
“As a result of the above findings, Volexity initiated more research into determining a means to exploit CVE-2022-27925, and if it was possible to do so without an authenticated administrative session. Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint (
mboximport) used by CVE-2022-27925. This meant that CVE-2022-27925 could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.” reads the post published by Volexity.
Volexity researchers scanned the Internet for compromised Zimbra instances belonging to non-Volexity customers. The security firm identified over 1,000 ZCS instances around the world that were backdoored and compromised. The compromised ZCS installs belongs to a variety of global organizations, including government departments and ministries, military branches, worldwide billionaire businesses, and a significant number of small businesses.
The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.
“CVE-2022-27925 was originally listed as an RCE exploit requiring authentication. When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial. Some organizations may prioritize patching based on the severity of security issues. In this case, the vulnerability was listed as medium—not high or critical—which may have led some organizations to postpone patching.” concludes the post.
In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.
(SecurityAffairs – hacking, RCE)