Connect with us

Hi, what are you looking for?


Email Security

Zimbra Zero-Day Exploited to Hack Government Emails

Google says a Zimbra zero-day from earlier this year, CVE-2023-37580, was exploited in several campaigns to hack government emails.

Government emails hacked via Zimbra zero-day

Google’s Threat Analysis Group (TAG) revealed on Thursday that a Zimbra Collaboration Suite zero-day was exploited earlier this year to steal email data from government organizations in several countries. 

The existence of the vulnerability, tracked as CVE-2023-37580, became public in mid-July, when Zimbra notified customers of its email server solution. 

The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization. 

In order for the exploit to be successfully executed, the targeted user needs to click on the malicious link while they are authenticated to a Zimbra session.

Shortly after Zimbra announced an official patch on July 25, Google’s TAG warned that in-the-wild exploitation had been observed, but did not share any information about the attacks. 

The internet giant has now revealed that it saw the first campaign exploiting CVE-2023-37580 on June 29. This campaign was aimed at a government organization in Greece and the attacker leveraged a previously documented framework to steal emails and attachments. The framework can also be used to automatically forward emails to addresses controlled by the attacker.

Roughly one week after Google spotted this campaign, on July 5, Zimbra published a hotfix for the vulnerability to its GitHub repository, but an official patch had yet to be released.

Then, on July 11, Google observed a second campaign exploiting the Zimbra zero-day, this time targeting government organizations in Moldova and Tunisia. The company linked the attacks to Winter Vivern, a Russian APT known for using Zimbra exploits, including in attacks aimed at NATO countries. 

Advertisement. Scroll to continue reading.

Zimbra published a security advisory on July 13 to warn customers about the vulnerability. However, before the official patch was released on July 25, Google came across a third campaign, which targeted a government organization in Vietnam. In this case, the attacker leveraged the exploit to take users to a phishing page that instructed them to enter their webmail credentials.

After the patch was released by Zimbra, Google spotted a fourth campaign, targeting a government organization in Pakistan.

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google said. 

It added, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

CISA’s Known Exploited Vulnerabilities Catalog includes seven other Zimbra Collaboration Suite flaws, a majority discovered in 2022. 

Related: Russia-Linked APT ‘Winter Vivern’ Targeting Governments in Europe, Asia 

Related: CISA Urges Organizations to Patch Actively Exploited Zimbra XSS Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...