Zimbra Collaboration Suite (ZCS) has issued an urgent advisory, urging administrators to apply a manual patch for a zero-day vulnerability. This vulnerability is actively exploited by attackers to target and compromise ZCS email servers.
Critical Zero-Day Vulnerability in Zimbra
The identified security flaw, currently lacking a CVE identifier, pertains to a Cross-Site Scripting (XSS) vulnerability. It was responsibly discovered and reported by Clément Lecigne, a security researcher associated with the Google Threat Analysis Group.
The reflected Cross-Site Scripting (XSS) issue was discovered and reported by Clément Lecigne, a security researcher from Google Threat Analysis Group (TAG). In such XSS attacks, malicious actors exploit the vulnerability to potentially steal sensitive user information or execute malicious code on vulnerable systems.
Zimbra currently lacks security fixes to address the actively exploited zero-day vulnerability. However, administrators can manually apply a provided fix to eliminate the attack vector.
To mitigate the vulnerability on all mailbox nodes, administrators need to follow these steps:
- Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto.
- Edit the file and navigate to line number 40.
- Update the parameter value to [value].
- Prior to the update, the line was displayed as [previous value].
Considering the history of Zimbra vulnerabilities being exploited to compromise email servers globally, administrators should give high priority to mitigating this zero-day vulnerability.
For instance, in June 2022, over 1,000 servers were compromised by exploiting Zimbra’s authentication bypass and remote code execution vulnerabilities.
Furthermore, since February 2023, the Winter Vivern Russian hacking group has been targeting webmail portals of NATO-aligned governments using exploits aimed at another reflected XSS bug. They have successfully breached the security of officials, governments, military personnel, and diplomats, gaining unauthorized access to their email mailboxes.
To mitigate the vulnerability, it is recommended to update to the following versions: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124. The networking equipment major has stated that there have been no reported instances of the vulnerability being maliciously exploited.