In a widespread campaign, threat actors chained two Zimbra Collaboration Suite vulnerabilities to obtain remote code execution and deploy a variety of webshells.
As CVE-2022-27925, a remote code execution vulnerability, needed administrator rights to be successfully exploited threat actors leveraged CVE-2022-37042, an authentication bypass vulnerability, to bypass that need and successfully exploit vulnerable Zimbra products. Volexity researchers identified over 1,000 Zimbra instances that were compromised and backdoored at the time of their research.
CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) 8.8.15 and 9.0 contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
CVE-2022-37042 (CVSS score: 9.8) – ZCS Authentication Bypass Vulnerability: 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution.
Recommendation for CVE-2022-27925
Recommendation #1: Apply the Patch
If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible. CVE-2022-37042 exists due to an incomplete patch for CVE-2022-27925.
More information about the specific patch can be found at:
