Active exploitation of Zimbra Collaborative Suite (ZCS)

Multiple Vulnerabilities Being Exploited By Threat Actors

Over the past few weeks, Cyble Research Labs has observed active exploitation of the Zimbra Collaborative Suite. Threat Actors have been targeting unpatched Zimbra Collaborative Suite (ZCS) instances deployed within state and private organizations.

The recent vulnerabilities impacting ZCS are:

– CVE-2022-27924
– CVE-2022-27925 chained with CVE-2022-37042
– CVE-2022-30333
– CVE-2022-24682

Researchers investigated internet-facing ZCS instances and found over 70,000 exposed instances, as shown in the figure below.

Figure 1- Geographical distribution of Exposed ZCS instances

Note: Not all the exposed assets are affected by these vulnerabilities. However, the scope for finding vulnerable instances is greater due to the high number of exposed assets.

Researchers narrowed their search and found that several exposed ZCS instances are deployed in organizations dealing in critical infrastructure sectors, as shown below. Organizations within the critical sector play a crucial role in the national economy, national security, public health, and safety. An attack on any of these exposed assets of the critical sector organizations can have a devastating impact.

Figure 2 – Exposed ZCS assets of organizations dealing in the critical infrastructure sector

CVE Details


The Zimbra Collaboration Suite versions 8.8.15 and 9.0 allow unauthenticated attackers to inject arbitrary Memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries. Threat Actors (TA) can then steal ZCS email account credentials in cleartext form without any user interaction.

A malicious actor can use spear phishing, social engineering, and Business Email Compromise (BEC) attacks against a compromised organization using a valid email account. Additionally, attackers can also execute web shells and maintain persistence on the victim’s device.


CVE-2022-27925 is a high severity vulnerability in ZCS 8.8.15 and 9.0 that utilizes the mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user can upload arbitrary files to the system, resulting in directory traversal.


CVE-2022-37042 allows an unauthenticated malicious actor to access a vulnerable ZCS instance. According to Zimbra, CVE-2022-37042 is found in the MailboxImportServlet function. When chained with CVE-2022-27925, this vulnerability allows for unauthenticated Remote Code Execution (RCE).

The vulnerability has also been added to the known exploited vulnerability catalog along with CVE-2022-27925 by CISA.


CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX that allows a malicious actor to write to files while extracting (unpacking). A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email containing a malicious RAR file.

Researchers also noticed that the CVE-2022-30333 was being sold on Russian darkweb forums in late July, as shown in Figure 3.

The Threat Actor mentions the prerequisites for exploitation and the prize for selling the exploit. Even though multiple Proof of Concepts, scripts, and a Metasploit module are publicly available for this vulnerability, it is interesting that cybercrime forums are still actively buying and selling exploits for ZCS vulnerabilities.

Figure 3 – TA selling CVE-2022-30333 on darkweb forums


CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients; the vulnerable ZCS webmail clients contain cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files.


The details and Proof of Concept for ZCS exploitation are present in the public domain, with a scope of over 70 thousand targets, vastly increasing the chances of a cyber incident occurring. Thus, it is recommended that the organizations using the vulnerable product update them with the recent patches released by the vendor.


  1. Keep ZCS updated with the recent patches released by the official vendor. 
  2. Limit the exposure of critical assets over the internet by implementing proper network segmentation.
  3. Restrict access to trusted users and devices on the internet.
  4. Implement Multi-Factor Authentication.
  5. Regular Vulnerability assessment and PenTesting (VAPT) exercises can help organizations uncover the security weakness within their environment.
  6. Logging and monitoring of assets is important.

Comments are closed.

Scroll to Top