Organ Network security and American Infrastructure (CISA) on Thursday added two vulnerabilities to its List of Known Exploited Vulnerabilities, citing evidence of active exploitation.
CVE-2022-27925 (CVSS Score: 7.2) – Remote Code Execution (RCE) via mboximport from authenticated users (fixed in versions 8.8.15 Patch 31 and 9.0.0 Patch 24 released in March)
CVE-2022-37042 – Bypass authentication in MailboxImportServlet (fixed in version 8.8.15 Patch 33 and 9.0.0 Patch 26 released in August)
“If you are running a version of Zimbra older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26, you should update to the latest patch as soon as possible,” Zimbra warned earlier this week.
CISA hasn’t shared any information about the attacks exploiting the vulnerability, but cybersecurity firm Volexity has described the mass exploitation of instances of Zimbra in the wild by an unknown threat actor.
In a nutshell, the attacks involve taking advantage of the aforementioned authentication bypass vulnerability to remotely execute code on the underlying server by uploading arbitrary files.
Volexity said that “authentication can be bypassed when accessing the same endpoint (mboximport) used by CVE-2022-27925” and that the vulnerability “can be exploited without valid credentials, due to which makes the vulnerability significantly more severe in severity.”
It also shows more than 1,000 cases globally that have been censored and hacked using this attack vector, some of which belong to government departments and agencies; military branches; and companies with billions of dollars in revenue.
The attacks, which took place as recently as late June 2022, also involved implementing web shells to maintain long-term access to infected servers. The top countries with the most compromised cases include the US, Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.
“CVE-2022-27925 was originally listed as an RCE exploit that required authentication,” Volexity said. “However, when combined with a separate bug, it becomes an unauthenticated RCE exploit that makes remote mining trivial.”
The disclosure comes a week after CISA added another Zimbra-related bug, CVE-2022-27924, to the category that, if exploited, could allow attackers to steal text credentials obvious from users of the targeted versions.