Threat actors are actively exploiting a critical vulnerability in Zimbra Collaboration Suite (ZCS). Here's what you need to know.
On August 11, 2022, two vulnerabilities in the Zimbra Collaboration Suite (ZCS) were added to the CISA Known Exploited Vulnerabilities Catalog as reports of widespread exploitation recently surfaced. ZCS is a collaborative software suite that includes an email server and a web client. Threat actors are actively exploiting these vulnerabilities in tandem, giving them the ability to remotely execute arbitrary code on ZCS servers. Customers are advised to update all Zimbra Collaboration Suite servers to the latest version immediately.
Quick facts: what you need to know now
- The vulnerabilities affect ZCS servers running versions 9.0.0 prior to patch 26 and 8.8.15 prior to patch 33 releases.
- Threat actors are actively exploiting vulnerabilities where successful exploitation of the vulnerability can result in the execution of arbitrary code.
- Volexity researchers observed attackers placing backdoors on over 1,000 victims’ ZCS servers using the two exploits.
Next Steps for Zimbra Collaboration Suite users:
- Update to a non-vulnerable version of ZCS. Zimbra has provided fixes for the vulnerabilities in its 9.0.0P26 (patch 26) and 8.8.15P33 (patch 33) releases. See here for vendor guidance.
- If your Zimbra server is vulnerable you can check for web shells by comparing the JSP files present on your Zimbra instance with those included by default in Zimbra installations. See here for comparison lists for the latest version of 8.8.15 and 9.0.0
If you have any questions, please reach out to the Risk + Response Team at firstname.lastname@example.org!