A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 enterprise email servers, according to incident response firm Volexity.
In July and early August, Volexity was called in to investigate several Zimbra Collaboration Suite breaches. The company’s analysis showed that the attackers had most likely exploited CVE-2022-27925, a remote code execution vulnerability in Zimbra that the vendor patched in March 2022.
The problem was that exploitation of CVE-2022-27925 requires admin credentials, which makes mass exploitation less likely. In addition, there was no indication that the attackers had managed to obtain the required credentials.
Further analysis showed that it was possible to bypass authentication when accessing the same endpoint used by CVE-2022-27925. The findings were reported to Zimbra, which patched the authentication bypass vulnerability at the end of July with the release of versions 9.0.0P26 and 8.8.15P33.
Volexity believes CVE-2022-27925 has been exploited in combination with the zero-day flaw, tracked as CVE-2022-37042, since at least the end of June 2022. It was initially targeted by threat actors focusing on cyberespionage and later by others for mass exploitation attempts.
In many cases, the attackers deployed webshells in an effort to gain persistent access to Zimbra email servers.
The cybersecurity firm used its knowledge of these webshells to conduct internet scans and identify compromised Zimbra instances. More than 1,000 victims have been seen worldwide, but the highest percentage is in the United States and Western Europe. They include global businesses with billions of dollars in revenue, as well as government and military organizations.
“At the other end of the scale, the affected organizations also included a significant number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and perhaps less likely to be able to effectively detect and remediate an incident,” Volexity said.
The company noted that the actual number of victims is likely higher than 1,000.
Zimbra appears to have only notified customers about exploitation of CVE-2022-37042 and CVE-2022-27925 on August 10. While CVE-2022-37042 has been patched since March, it was initially only rated ‘medium severity’ due to it requiring authentication, which may have caused some companies to postpone installing the patches. Organizations where the patches for CVE-2022-27925 were not installed by the end of May should consider their email servers compromised, Volexity said.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-37042 and CVE-2022-27925 to its Known Exploited Vulnerabilities Catalog on Thursday and instructed government agencies to install patches by September 1.
At least five vulnerabilities discovered this year have been used in attacks aimed at Zimbra servers, which appear to be increasingly targeted by threat actors.
CISA warned organizations in early August that a recently patched vulnerability allowing an unauthenticated attacker to steal cleartext credentials from a targeted Zimbra instance without any user interaction has been exploited in attacks.
A few days later, the agency said a flaw in the UnRAR archive extraction tool has been exploited in the wild, and while multiple products could be affected, the malicious attacks have likely targeted Zimbra servers, which used UnRAR to check archive files attached to emails for spam and malware.
Related: Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email
Related: Volexity Warns of ‘Active Exploitation’ of Zimbra Zero-Day
Related: Three Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks
