Skip to Content

Zimbra Releases Fixes for Actively Exploited Flaw

Updated on 2022-10-18: APTs went after Zimbra

Kaspersky researchers said in a blog post last week that they’ve seen multiple APT groups exploiting a recently disclosed Zimbra zero-day (CVE-2022-41352), and that one of these groups has been “systematically infecting all vulnerable servers in Central Asia.” In the meantime, after leaving the vulnerability unpatched for almost a month, Zimbra has finally delivered a patch. Read more:

Zimbra zero-day

As mentioned in a section above, Zimbra has finally released a patch for a zero-day (CVE-2022-41352) that has been under active exploitation for more than a month.

Updated on 2022-10-17

Zimbra has released updates to address a critical code execution vulnerability that is being actively exploited. The vulnerability, CVE-2022-41352, affects the Amavis open source content filter component of Zimbra Collaboration Suite versions 8.8.15 and 9.0. Users are urged to update to Zimbra 9.0.0 Patch 27 and Zimbra 8.8.15 Patch 34. The flaw has a CVSS score of 9.8.


  • Note that strictly speaking, this isn’t a Zimbra flaw, but a cpio flaw. Some Linux distributions include a version of cpio that does not include an older security fix as it may interfere with other usage cases for cpio. The Zimbra patch makes sure that the alternative “pax” utility is installed, which isn’t installed by default in some Linux distributions. In addition, the update fixes a few more security vulnerabilities.
  • This vulnerability is being actively exploited and builds upon a 2015 weakness (CVE-2015-1197.) After you apply the patch, go to the Zimbra support portal and review the additional hardening guidance there to ensure you have a complete fix to the vulnerability.


Updated on 2022-10-16

Almost 900 servers have been targeted using a critical Zimbra Collaboration Suite (ZCS) vulnerability, CVE-2022-41352. According to Kaspersky, various APT groups actively exploited the flaw soon after it was reported on the Zimbra forums. Read more: Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Updated on 2022-10-10: Zimbra Vulnerability Remains Unpatched

A zero-day flaw in Zimbra email servers is being actively exploited to backdoor vulnerable servers. A Zimbra customer reported the attacks in early September. Zimbra has not yet released a fix for the vulnerability and has instead urged customers to make sure that the pax file archiver is installed on their systems.


  • Note that this isn’t so much a Zimbra vulnerability but a vulnerability in the cpio utility included in some Linux distributions. Using the alternative (and preferred) “pax” utility will prevent exposing cpio via Zimbra.
  • The exploit requires two conditions to be met. First, a vulnerable version of cpio must be present/pre-installed, second, the pax utility must not be installed. The flaw leverages behavior in the Zimbra AV engine which uses cpio to extract the files it’s scanning. Zimbra is moving to pax from cpio and will use pax if installed. Note the easiest fix it is to add pax to your Linux distribution and restart the Zimbra services.


Updated on September 2022: Zimbra web shells

CISA published on Tuesday three malware reports on three JSP web shells found deployed on Zimbra servers.


Updated on August 2022: Thousands of Zimbra platforms actively targeted with critical vulnerabilities

Security experts are warning that attackers are actively exploiting a vulnerability in the Zimbra digital collaboration platform, and the exploit is circulating in the wild. A range of reports indicate threat actors are using the vulnerabilities, which can provide adversaries with full remote code execution with no authentication needed. Microsoft stated that more than 30,000 instances are believed to be publicly exposed, and the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2022-37042 and CVE-2022-27925 to its list of known exploited vulnerabilities. The vulnerabilities specifically affect Zimbra Collaboration Suite (ZCS) email servers and are similar to other vulnerabilities discovered in 2021 affecting Microsoft Exchange Server. CISA also warned users of another ZCS vulnerability on Aug. 4 — CVE-2022-27924, which was also being exploited in the wild. Federal agencies must patch for CVE-2022-27924 by Aug. 24.


Updated on August 2022: Zimbra Vulnerability is Being Actively Exploited

A command injection vulnerability in Zimbra Collaboration is being actively exploited to steal email account credentials with no user interaction. Researchers from SonarSource discovered the vulnerability on March 11, 2022; Zimbra released a fix on May 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog with a mitigation due date of August 25, 2022.


  • The patch for Zimbra was released May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. The report from SonarSource, released a month after the patches were released, has details and pointers for attackers to successfully exploit the flaws. Yup, time to patch.


Updated on July 2022: Unrar vulnerability in Zimbra:

SonarSource researchers have discovered a vulnerability in the Unrar tool, part of the Zimbra CMS, which could be exploited to take over Zimbra instances.

Updated on June 2022: Zimbra attack

SonarSource researchers have published a report on a new vulnerability in Zimbra email systems where an unauthenticated attacker can steal cleartext credentials from Zimbra servers without any user interaction. The vulnerability (CVE-2022-27924) resides in the local Zimbra Memcache instance included in the Zimbra server’s reverse proxy component and impacts the 8.8.x and 9.x versions, both of which received patches.

Updated on April 2022: IcedID Malware and Zimbra Exploits are Being Used Against Ukrainian Government Systems

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of social engineering campaigns that aim to spread IcedID malware and use Zimbra exploits to steal data. The attacks are targeting Ukrainian government agency networks.


  • This attack relies on an infected MS Excel document which requests you to enable macros and then leads to the deployment of IcedID, aka BokBot. Being mindful of macros, particularly from external or unknown senders remains prudent. Disable macros unless you absolutely know that the document is not only legitimate, but also they are needed. Question macros that are there “because we always did it that way” or don’t make sense, even from trusted sources.


Overview: Webmail of the Damned

European governments and media organisations have been targeted by (probably) a Chinese APT group using a 0day for the Zimbra open source email platform. The group first ran a reconnaissance phase using innocuous and relatively generic emails to test whether accounts existed and would open phishing emails. A second phase on promising target accounts involved a malicious email that would launch a cross-site scripting attack to steal the account’s email.

Volexity, the company that discovered the campaign, believes it is Chinese because of the organisations and individuals targeted and the lack of any apparent financial motivation combined with indications that the attackers worked in China’s time zone.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.