Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Zero-Day Vulnerability Exploited to Hack Over 1,000 Zimbra Email Servers

A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 enterprise email servers, according to incident response firm Volexity.

A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 enterprise email servers, according to incident response firm Volexity.

In July and early August, Volexity was called in to investigate several Zimbra Collaboration Suite breaches. The company’s analysis showed that the attackers had most likely exploited CVE-2022-27925, a remote code execution vulnerability in Zimbra that the vendor patched in March 2022.

The problem was that exploitation of CVE-2022-27925 requires admin credentials, which makes mass exploitation less likely. In addition, there was no indication that the attackers had managed to obtain the required credentials.

Further analysis showed that it was possible to bypass authentication when accessing the same endpoint used by CVE-2022-27925. The findings were reported to Zimbra, which patched the authentication bypass vulnerability at the end of July with the release of versions 9.0.0P26 and 8.8.15P33.

Volexity believes CVE-2022-27925 has been exploited in combination with the zero-day flaw, tracked as CVE-2022-37042, since at least the end of June 2022. It was initially targeted by threat actors focusing on cyberespionage and later by others for mass exploitation attempts.

In many cases, the attackers deployed webshells in an effort to gain persistent access to Zimbra email servers.

The cybersecurity firm used its knowledge of these webshells to conduct internet scans and identify compromised Zimbra instances. More than 1,000 victims have been seen worldwide, but the highest percentage is in the United States and Western Europe. They include global businesses with billions of dollars in revenue, as well as government and military organizations.

“At the other end of the scale, the affected organizations also included a significant number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and perhaps less likely to be able to effectively detect and remediate an incident,” Volexity said.

The company noted that the actual number of victims is likely higher than 1,000.

Zimbra servers hacked with CVE-2022-37042

Zimbra appears to have only notified customers about exploitation of CVE-2022-37042 and CVE-2022-27925 on August 10. While CVE-2022-37042 has been patched since March, it was initially only rated ‘medium severity’ due to it requiring authentication, which may have caused some companies to postpone installing the patches. Organizations where the patches for CVE-2022-27925 were not installed by the end of May should consider their email servers compromised, Volexity said.

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-37042 and CVE-2022-27925 to its Known Exploited Vulnerabilities Catalog on Thursday and instructed government agencies to install patches by September 1.

At least five vulnerabilities discovered this year have been used in attacks aimed at Zimbra servers, which appear to be increasingly targeted by threat actors.

CISA warned organizations in early August that a recently patched vulnerability allowing an unauthenticated attacker to steal cleartext credentials from a targeted Zimbra instance without any user interaction has been exploited in attacks.

A few days later, the agency said a flaw in the UnRAR archive extraction tool has been exploited in the wild, and while multiple products could be affected, the malicious attacks have likely targeted Zimbra servers, which used UnRAR to check archive files attached to emails for spam and malware.

Related: Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email

Related: Volexity Warns of ‘Active Exploitation’ of Zimbra Zero-Day

Related: Three Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.