Multiple threat actors are launching attacks against unpatched users of Zimbra Collaboration Suite, a business productivity software and email platform, the Cybersecurity and Infrastructure Security Agency said in a warning Thursday.
CISA, in a joint advisory with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and contributions from the FBI, said threat actors are exploiting multiple CVEs to launch attacks against unpatched government and private sector users.
The advisory updates previous guidance issued in August regarding vulnerabilities in ZCS. Officials urge administrators that failed to patch their systems or are otherwise exposed to the internet, to assume they have been compromised and use third-party detection signatures in the advisory to hunt for threat activity.
One vulnerability previously disclosed by SonarSource researchers, listed as CVE-2022-29724, allows unauthenticated hackers to inject memcache commands into targeted instances of ZCS and overwrite arbitrary cached entries. A hacker can then steal ZCS email account credentials using cleartext form.
If organizations don’t have multifactor authentication, a hacker can launch spearphishing, social engineering or business email compromise attacks. Zimbra issued patches in May, and CISA updated its Known Exploited Vulnerabilities catalog in August.
In another high severity vulnerability, CVE-2022-27925, the threat involves ZCS instances with mboximport functionality to extract files from a ZIP archive. Authenticated users can upload arbitrary files and lead to directory transversal.
Steven Adair, president of Volexity, said the attacks likely involve organizations that never patched and found a breach or were compromised some time ago.
Volexity researchers in August reported more than 1,000 ZCS instances of CVE-2022-27925 along with CVE-2022-37042. CISA added both vulnerabilities to the KEV list.