The Cybersecurity and Infrastructure Security Agency issued a cybersecurity advisory warning about active exploitations of vulnerabilities found in systems using unpatched Zimbra Collaboration Suite.
Government agencies and the private sector could be affected by the exploitation of five vulnerabilities in cloud software platform Zimbra Collaboration Suite if users have not patched their systems, warned the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing & Analysis Center in a Cybersecurity Advisory issued on Tuesday.
CISA and MS-ISAC encouraged users to follow their recommendations to prevent any cyberattacks and urged those who did not immediately update their system with the patch or “whose ZCS instances were exposed to the internet” to look for suspicious activity.
CISA and MS-ISAC stated that the common vulnerabilities and exposures include: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042 as well as CVE-2022-30333.
Specifically, CVE-2022-27924 and CVE-2022-27925 are high-severity vulnerabilities, according to the advisory, that allow bad actors to steal email credentials and impact Zimbra’s 8.8.15 and 9.0 releases, respectively. Meanwhile, CVE-2022-37042 is an authentication bypass vulnerability also affecting the 8.8.15 and 9.0 releases that could allow unauthenticated access to ZCS systems. According to the advisory, CVE-2022-30333 is a high-severity vulnerability that could allow bad actors to “write to files during an extract (unpack) operation.” Lastly, CVE-2022-24682 is a medium-severity vulnerability that allows bad actors to steal session cookie files; it is affecting Zimbra’s webmail clients.
In addition to utilizing patches and examining for malicious activity, CISA and MS-ISAC recommend that organizations update the latest version of ZCS as noted on Zimbra’s website. Additionally, CISA and MS-ISAC also recommend utilizing general best practices, such as: maintaining and testing incident response plans and adopting zero trust architecture.
If a system was compromised, CISA and MS-ISAC suggest collecting and reviewing artifacts, which includes running services and unusual authentications, as well as quarantining, reimagine compromised hosts, providing new account credentials and reporting any compromises to CISA.
Synacor, whose products include the Zimbra Collaboration Suite, was reached for comment, but did not respond in time of publication.