|Category: Vulnerability Intelligence||Vulnerability Class: Remote Code Execution||CVE ID: CVE-2022-37042||CVSS:3.0 Score: 9.8|
- On 10 May 2022, Zimbra disclosed CVE-2022-27925 as an authenticated directory traversal vulnerability.
- This vulnerability affects the Zimbra Collaboration Suite (ZCS) releases 8.8.15 and 9.0, which use mboximport functionality to receive ZIP archives and extract files from them.
- However, on 10 August 2022, Volexity, a cyber forensics and incident response firm, released a report stating that this vulnerability was used to exploit ZCS email servers of multiple organizations without having authenticated access to the ZCS instances.
- The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8.
- CVE-2022-37042 exits due to an incomplete patch of the CVE-2022-27925 vulnerability.
- Further investigation by Volexity verified that it was possible to bypass authentication when accessing the mboximport endpoint.
- Based on internet-wide scans conducted by Volexity, more than 1,000 ZCS servers have been compromised and backdoored.
- The doPost function, which is called to check for user authentication when the URL was accessed, was flawed.
- The flaw in the code was found to be an absence of a return statement, after authentication check and an error message set on authentication failure.
- This led to the execution of the remaining code even when the user was not authenticated, leading to the upload of the malicious zip file on the server.
- The Shodan query for ZCS instances shows a total of 72,404 active instances worldwide.
- #Traffic Light Protocol - Wikipedia
- CISA - Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- Volexity- Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925