A critical vulnerability was discovered in Zimbra Collection Suite. Here's what you need to know.
Threat actors are targeting organizations using Zimbra servers that are vulnerable to CVE-2022-24682. The vulnerability was discovered in December 2021 and has a working exploit that threat actors are actively exploiting.
Quick facts: what you need to know now
- The vulnerability impacts the Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1)
- Threat actors have been observed using this vulnerability to steal emails and email attachments from targeted user's mailboxes.
Next Steps for Zimbra Customers:
- Upgrade Zimbra to the latest version 9.0.0, as there is currently no secure version of 8.8.15.
- Block all these Indicators of Compromise (IOCs) at the mail gateway and network level.
- Review Zimbra logs to look for suspicious access and referrers.
- The default location for these logs can be found at /opt/zimbra/log/access*.log.
- Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.
- Volexity: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
- Zimbra: https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/
If you have any questions, please reach out to the Risk + Response Team at firstname.lastname@example.org!