Threat Actors Exploiting CVE-2022-27925 chained with CVE-2022-37042 Against Zimbra Collaboration Suite
by CIRT Team
An authentication bypass Zimbra security vulnerability is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide.
According to threat intelligence firm Volexity, attackers have been abusing a ZCS remote code execution flaw tracked as CVE-2022-27925 requiring authentication with the help of an auth bypass bug (tracked as CVE-2022-37042).
CVE-2022-27925: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
CVE-2022-37042: Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution.
Successful exploitation allows the attackers to deploy web shells on specific locations on the compromised servers to gain persistent access.
Updates are available.Please see the references or vendor advisory for more information.