Researchers Discover Zimbra Authentication Bypass Flaw Under Attack

A severe authentication bypass vulnerability existed in the Zimbra Collaboration Suite (ZCS), risking email security. Researchers found the vulnerability was under attack, compromising over a thousand email servers.

Zimbra Authentication Bypass Flaw

According to a recent report from Veloxity, their researchers found an actively exploited vulnerability in the Zimbra Collaboration Suite.

As revealed, they noticed the threat actors exploiting a previously known remote code execution vulnerability CVE-2022-27925, together with the newly discovered authentication bypass flaw CVE-2022-37042.

While the actual RCE remains an important severity bug as it required admin access, combining it with the authentication bypass increased the threat. A remote attacker exploiting the two flaws in a chained manner could gain admin privileges without authentication.

Specifically, the researchers found the vulnerability when multiple email breaches across different organizations caught their attention earlier this year. Investigating further revealed that the attackers actively exploited the two vulnerabilities together in June 2022. While the initial campaigns typically reflected espionage-oriented attacks, the bugs later went under attack for mass exploitation.

After performing internet-wide scans, Volexity researchers found over 1000 compromised ZCS instances globally. The affected systems belonged to victims from various sectors, including international businesses, government departments, the military, and even small businesses. At the same time, they fear the actual number of breached systems to be even higher.

In simple words, these vulnerabilities threaten the security of all ZCS users worldwide in the same manner.

Zimbra Released The Patched Versions

Following the researchers’ bug report, Zimbra remediated the issue. Eventually, they released the vulnerability fixes with Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26.

According to Zimbra’s advisory, users running the older versions should immediately update their systems with the latest releases.

While such updates are always crucial, the ones addressing actively exploited vulnerabilities demand urgent attention (and action) from the users. Given how the attackers have already compromised over a thousand vulnerable instances, it’s likely that they may further speed up their campaigns to exploit the maximum possible systems before patching. Therefore, users need to rush to update their devices.

Related posts

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs

Sign1 Malware Targeted Over 2500 WordPress Sites In Recent Campaign

Unsaflok Flaws Allow Unlocking Saflok Door Locks With Forged Cards