Cyber threat actors exploit Zimbra Collaboration Suite vulnerabilities (update)

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have published a joint security alert for multiple vulnerabilities against Zimbra Collaboration Suite (ZCS).

Zimbra is one of the world’s leading cloud-hosted collaboration software and open source email platform, powering hundreds of millions of mailboxes in 140 countries.

According the alert (most recently updated November 10, 2022), cyber threat actors may be targeting the following five vulnerabilities on unpatched ZCS instances in both government and private sector networks:

  • CVE-2022-24682
  • CVE-2022-27924
  • CVE-2022-27925 (chained with CVE-2022-37042)
  • CVE-2022-30333.

Moreover, CISA previously added CVE-2022-24682 and CVE-2022-27924 to its Known Exploited Vulnerabilities Catalog in February and early August of this year respectively. The additions were based on evidence that cyber criminals are actively exploiting the vulnerabilities.

On November 10, 2022, CISA and the MS-ISAC updated the Cybersecurity Advisory (CSA) to include a new Malware Analysis Report (MAR) MAR-10410305-1.v1 JSP Webshell.

“CISA received 3 Java Server Pages (JSP) webshells for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The files are server side code that allow clients to remotely send commands to be executed on the victim web server,” CISA wrote in the report.

Update: This post was updated on November 12, 2022 (originally published August 19, 2022).