Hackers exploit Zimbra vulnerability, comprise nearly 900 servers

October 18, 2022

A security vulnerability in the Zimbra Collaboration Suite (ZCS) vulnerability tracked as CVE-2022-41352, has been exploited by hackers to hack into nearly 900 servers.

A proof-of-concept (PoC) has been added to the Metasploit framework, allowing unprofessional attackers to exploit the vulnerability.

The Zimbra vulnerability is a remote code execution flaw that allows an attacker to send an email with a malicious archive attachment that places a web shell in the Zimbra Collaboration Suite server, bypassing antivirus.

Kaspersky researchers identified at least 876 servers that had been compromised by attackers exploiting the vulnerability before it was publicized. After it was reported, various threat groups attempted to exploit the flaw.

Although Zimbra had released a security fix with ZCS version 9.0.0 P27, attackers continue to launch opportunistic attacks to exploit the vulnerability.

According to Kaspersky, the first attacks that exploited vulnerable Zimbra servers began in September in India and Turkey. Researchers believe that the first wave of attacks was likely a test wave against low-interest targets to test their effectiveness.

The attackers comprised 44 servers during the first wave, and for the second wave, after the bug became public, the threat actors switched gears and began mass attacks, resulting in 832 servers being compromised with malicious webshells.

The sources for this piece include an article in BleepingComputer.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn