October 18, 2022

A security vulnerability in the Zimbra Collaboration Suite (ZCS) vulnerability tracked as CVE-2022-41352, has been exploited by hackers to hack into nearly 900 servers.

A proof-of-concept (PoC) has been added to the Metasploit framework, allowing unprofessional attackers to exploit the vulnerability.

The Zimbra vulnerability is a remote code execution flaw that allows an attacker to send an email with a malicious archive attachment that places a web shell in the Zimbra Collaboration Suite server, bypassing antivirus.

Kaspersky researchers identified at least 876 servers that had been compromised by attackers exploiting the vulnerability before it was publicized. After it was reported, various threat groups attempted to exploit the flaw.

Although Zimbra had released a security fix with ZCS version 9.0.0 P27, attackers continue to launch opportunistic attacks to exploit the vulnerability.

According to Kaspersky, the first attacks that exploited vulnerable Zimbra servers began in September in India and Turkey. Researchers believe that the first wave of attacks was likely a test wave against low-interest targets to test their effectiveness.

The attackers comprised 44 servers during the first wave, and for the second wave, after the bug became public, the threat actors switched gears and began mass attacks, resulting in 832 servers being compromised with malicious webshells.

The sources for this piece include an article in BleepingComputer.