Zimbra auth bypass bug exploited to breach over 1,000 servers

guest · Aug 11, 2022

August 11, 2022

An authentication bypass Zimbra security vulnerability is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide.

Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries, including over 1,000 government and financial organizations.
Click to expand...

Exploited in the wild
According to threat intelligence firm Volexity, attackers have been abusing a ZCS remote code execution flaw tracked as CVE-2022-27925 requiring authentication with the help of an auth bypass bug (tracked as CVE-2022-37042 and patched yesterday) as early as the end of June.

"Volexity believes this vulnerability was exploited in a manner consistent with what it saw with Microsoft Exchange 0-day vulnerabilities it discovered in early 2021," the company's Threat Research team said.
"Initially it was exploited by espionage-oriented threat actors, but was later picked up by other threat actors and used in mass-exploitation attempts."
Click to expand...

Over 1,000 servers already compromised
After discovering evidence during multiple incident responses that Zimbra email servers were being breached using the CVE-2022-27925 RCE with the help of the CVE-2022-37042 auth bypass bug, Volexity scanned for instances of hacked servers exposed to Internet access.
Click to expand...

Volexity: Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925

In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24.
Click to expand...

Log in or Sign up

Zimbra auth bypass bug exploited to breach over 1,000 servers

guest Guest

Log in or Sign up

Zimbra auth bypass bug exploited to breach over 1,000 servers

guest Guest

Useful Searches