The developers have released patches for a critical RCE vulnerability in the Zimbra Collaboration Suite (ZCS), with which more than 1,600 vulnerable servers have already been hacked.
Let me remind you that this problem, which received 9.8 points on the CVSS vulnerability rating scale, became known in early October. The bug has been identified as CVE-2022-41352 and is related to the method that the Zimbra (Amavis) antivirus engine uses when scanning incoming email messages. According to analysts at Rapid7, an attacker could exploit this vulnerability by mailing a specially crafted .cpio, .tar, or .rpm file to the affected server.Even worse, Metasploit has already added a PoC exploit for this bug, allowing even low-skilled hackers to carry out effective attacks on vulnerable servers.
Only recently we wrote that The researchers warn that due to a critical RCE vulnerability in the Zimbra Collaboration Suite (ZCS), about 900 vulnerable servers have already been hacked.
The attackers did not stop there and successfully continued their criminal activities, and according to Volexity experts, they have already compromised more than 1600 ZCS servers using CVE-2022-41352 to install web shells.
If earlier the developers offered only a temporary solution to the problem and advised simply replacing Cpio with the Pax utility, now the creators of the Zimbra Collaboration Suite have finally released patches.
Fixes are already available in Zimbra 9.0.0 Patch 27 and Zimbra 8.8.15 Patch 34.
In addition, recent patches have fixed numerous XSS bugs that led to information disclosure, as well as another bug, CVE-2022-37393, which has a CVSS score of 7.8. The company explains that the Zimbra sudo configuration allowed the Zimbra user to run the zmslapd binary as root with arbitrary parameters.