Hackers Exploiting High-Severity Zimbra Flaw to Steal Email Account Credentials

Zimbra CVE-2022-27824 has been added to the CISA’s “Known Exploited Vulnerabilities” catalog as a new vulnerability. Hackers are actively exploiting it in attack activities, which indicates it is active in the hacking community.

Unauthenticated threat actors are able to steal email account credentials in clear-text by exploiting this high-severity vulnerability. Using Zimbra Collaboration, a threat actor steals credentials without asking the user for their permission.

Impact

During legitimate authentication attempts, a hacker can make use of CRLF injection to poison Memcache and deceive the software into relaying all IMAP traffic to the threat actor instead of forwarding it to the legitimate authentication attempt.

It was discovered by SonarSource researchers on March 11, 2022, that the flaw had been exploited. An update that addressed these issues was released by the software vendor on May 10, 2022. In the following list, we have mentioned the fixed versions as follows:-

• ZCS 9.0.0 Patch 24.1
• ZCS 8.8.15 Patch 31.1

Based on CISA’s latest catalog addition, it has become evident that not all administrators have updated their security software with the latest updates. It has been nearly three months since all these updates became available to the public.

Exploit Capabilities

It is now possible for hackers to identify and attack vulnerable instances; all credit goes to the opportunity provided by this. As a result of stealing the credentials from a Zimbra account, they are able to do the following things:-

• Access the email server
• Making spear-phishing easier by removing the barriers to entry
• Social engineering
• BEC (Business Email Compromise) attacks

Zimbra Collaboration is used by a variety of organizations, including the following:- 

• The number of businesses in the network exceeds 200,000.
• The number of state entities exceeds 1,000.
• In 140 countries, they support critical organizations.

In spite of all the recommendations made by CISA, all Federal agencies in the U.S. need to apply the security updates available to them as soon as possible until August 25, 2022, since it’s the final deadline.

Moreover, apart from the Federal agencies, CISA has also recommended all non-federal agencies and organizations to immediately apply the security updates to avoid any exploitation.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.