The Cybersecurity and Infrastructure Security Agency (CISA) has published a new advisory warning of threat actors actively exploiting five different vulnerabilities in the Zimbra Collaboration Suite (ZCS).
The document was compiled in collaboration with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and explains how threat actors may be targeting unpatched ZCS instances in both government and private sector networks.
The first of the discovered vulnerabilities (tracked CVE-2022-27924) is a high-severity vulnerability enabling an unauthenticated threat actor to inject arbitrary memcache commands into a ZCS instance and cause an overwrite of arbitrary cached entries.
“The actor can then steal ZCS email account credentials in cleartext form without any user interaction,” the advisory read.
The second and third vulnerabilities mentioned in the document are chained (CVE-2022-27925 and CVE-2022-37042, respectively), with the former enabling an authenticated user to upload arbitrary files to the system, and the latter being an authentication bypass vulnerability.
The remaining Zimbra vulnerabilities mentioned in the CISA report are CVE-2022-30333, a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX, and CVE-2022-24682, a medium-severity vulnerability that impacts ZCS webmail clients.
All these vulnerabilities were disclosed to Zimbra and were patched by the company between May and late July. Despite this, CISA recommended administrators, especially those at firms that did not immediately update their ZCS instances upon patch release, hunt for malicious activity using third-party detection signatures mentioned in the advisory.
Further, the document recommended organizations apply a number of best practices to reduce the risk of compromise, including maintaining and testing an incident response plan, ensuring organizations have a vulnerability management program, are properly configuring and securing internet-facing network devices and adopting zero-trust principles and architecture.
CISA and the MS-ISAC said they will update the advisory to include additional indicators of compromise (IOCs) and signatures as further information becomes available.
The advisory detailing the Zimbra vulnerabilities comes weeks after CISA announced it will open a new office in London, UK.