Connect with us

Hi, what are you looking for?



Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA ‘Must Patch’ List

CISA has added to its Known Exploited Vulnerabilities catalog a Zimbra vulnerability exploited in attacks targeting NATO countries

The US Cybersecurity and Infrastructure Security Agency (CISA) has added to its ‘Must Patch’ list a Zimbra vulnerability exploited by Russian hackers in attacks targeting NATO countries.

The flaw, tracked as CVE-2022-27926 (CVSS score of 6.1), is described as a reflected cross-site scripting (XSS) bug in Zimbra Collaboration version 9.0.

Because of this issue, an endpoint URL may accept parameters without sanitization, which could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code.

While CISA does not provide details on the observed exploitation of CVE-2022-27926, the agency’s warning comes only days after a Proofpoint report on the vulnerability being exploited by Russia-linked advanced persistent threat (ATP) actor Winter Vivern in attacks targeting NATO countries.

Also tracked as TA473, Winter Vivern has been observed launching cyberattacks in support of Russian and/or Belarussian geopolitical goals in the context of the Russia-Ukraine war.

The attacks against NATO countries targeted public Zimbra hosted webmail portals to access email correspondence of military, government, and diplomatic organizations in Europe.

The APT uses scanning tools to identify vulnerable, unpatched webmail portals and then sends phishing emails containing a malicious a URL leading to the execution of JavaScript code that in turns downloads a next stage JavaScript payload to conduct cross-site request forgery (CSRF) attacks and capture victims’ credentials.

Advertisement. Scroll to continue reading.

According to Proofpoint, Winter Vivern appears to have invested time and resources in analyzing the publicly exposed webmail portals of the targeted organizations in order to create different JavaScript payloads for each of them.

“These labor-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” Proofpoint explains.

Organizations are advised to upgrade to a patched version of the Zimbra Collaboration Suite as soon as possible.

Per Binding Operational Directive (BOD) 22-01, once a vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog, federal agencies have three weeks to apply the relevant patches within their environments.

Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Related: New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

Related: Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...