Zimbra authentication bypass bug exploited, breaching over 1000 servers

An authentication bypass Zimbra security vulnerability is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide, Bleeping Computer reports.

Zimbra is an email and collaboration platform which is used by more than 200,000 businesses from over 140 countries, including over 1,000 government and financial organizations.

According to threat intelligence firm Volexity, the hackers have been abusing a ZCS remote code execution flaw tracked as CVE-2022-27925 requiring authentication with the help of an authentication bypass bug as early as the end of June.

The company’s Threat Research team said that Volexity believes this vulnerability was exploited in a manner consistent with what it saw with Microsoft Exchange 0-day vulnerabilities it found in early 2021.

They further said that initially it was exploited by espionage-oriented hackers, but was later picked up by other hackers and used in mass-exploitation attempts.

Successful exploitation lets the hackers to deploy web shells on specific locations on the compromised servers to gain persistent access.

While Zimbra did not uncover in its advisory that these flaws are under active exploitation, an employee warned customers on the company’s forum to suddenly apply patches as they are indeed abused in attacks.