Skip links

Zimbra auth bypass bug exploited to breach over 1,000 servers



An authentication bypass Zimbra security vulnerability is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide.

Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries, including over 1,000 government and financial organizations.

Exploited in the wild

According to threat intelligence firm Volexity, attackers have been abusing a ZCS remote code execution flaw tracked as CVE-2022-27925 requiring authentication with the help of an auth bypass bug (tracked as CVE-2022-37042 and patched yesterday) as early as the end of June.

“Volexity believes this vulnerability was exploited in a manner consistent with what it saw with Microsoft Exchange 0-day vulnerabilities it discovered in early 2021,” the company’s Threat Research team said.

“Initially it was exploited by espionage-oriented threat actors, but was later picked up by other threat actors and used in mass-exploitation attempts.”

Successful exploitation allows the attackers to deploy web shells on specific locations on the compromised servers to gain persistent access.

CVE-2022-27925 facilitated writing #webshells to disk and was patched months ago. However, it was deemed lower priority because it required admin creds to exploit. Enter CVE-2022-37042 … which bypassed authentication making this a CRITICAL and trivial to exploit vulnerability.

— Steven Adair (@stevenadair) August 11, 2022

While Zimbra did not disclose in its advisory that these vulnerabilities are under active exploitation, an employee warned customers on the company’s forum to immediately apply patches as they are indeed abused in attacks.

“If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible,” the alert published on Wednesday reads.

A Zimbra spokesperson was not available for comment when BleepingComputer reached out earlier today. 

CISA also confirmed that both security flaws are exploited in the wild by adding them to its catalog of exploited bugs on Thursday.

Over 1,000 servers already compromised

After discovering evidence during multiple incident responses that Zimbra email servers were being breached using the CVE-2022-27925 RCE with the help of the CVE-2022-37042 auth bypass bug, Volexity scanned for instances of hacked servers exposed to Internet access.

To do this, the company’s security experts used their knowledge of where the threat actors were installing web shells on the servers.

“Through these scans, Volexity identified over 1,000 ZCS instances around the world that were backdoored and compromised,” Volexity added.

“These ZCS instances belong to a variety of global organizations, including government departments and ministries, military branches, and worldwide businesses with billions of dollars of revenue.

“Bearing in mind that this scan only used shell paths known to Volexity, it is likely that the true number of compromised servers is higher.”

Volexity says that all its findings were reported to Zimbra and that they also local Computer Emergency Response Team (CERTs) that could be contacted of compromised Zimbra instances.

Compromised Zimbra email servers (Volexity)

 Since the latest Zimbra versions (8.8.15 patch 33 and 9.0.0 patch 26) are patched against the actively exploited RCE and auth bypass bugs, admins should patch their servers immediately to block attacks.

However, as Volexity warns, if vulnerable servers haven’t been patched against the RCE bug (CVE-2022-27925) before the end of May 2022, “you should consider your ZCS instance may be compromised (and thus all data on it, including email content, may be stolen) and perform a full analysis of the server.”

Volexity advises organizations who believe their ZCS email servers were compromised to investigate a possible incident or rebuild their ZCS instance using the latest patch and import emails from the old server.

Unfortunately, these two Zimbra bugs are likely not the only ones actively exploited, given that CISA has added another high severity Zimbra flaw (CVE-2022-27924), allowing unauthenticated attackers to steal plain text credentials, to its Known Exploited Vulnerabilities Catalog.

Adblock test (Why?)