Zimbra Vulnerability | April 2022

A critical vulnerability was discovered in Zimbra Collection Suite. Here's what you need to know.


Threat actors are targeting organizations using Zimbra servers that are vulnerable to CVE-2022-24682. The vulnerability was discovered in December 2021 and has a working exploit that threat actors are actively exploiting. 

Quick facts: what you need to know now

  • The vulnerability impacts the Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1)
  • Threat actors are actively exploiting where successful exploitation of the vulnerability can result in the attacker being able to run arbitrary JavaScript in the context of the user's Zimbra session.
  • Threat actors have been observed using this vulnerability to steal emails and email attachments from targeted user's mailboxes.

Next Steps for Zimbra Customers:

  1. Upgrade Zimbra to the latest version 9.0.0, as there is currently no secure version of 8.8.15.
  2. Block all these Indicators of Compromise (IOCs) at the mail gateway and network level.
  3. Review Zimbra logs to look for suspicious access and referrers. 
    1. The default location for these logs can be found at /opt/zimbra/log/access*.log.
  4. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.


If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!