Zimbra Patches Zero-Day Vulnerability Exploited in XSS Attacks

Cyber Security Threat Summary:
Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.

“While Zimbra did not indicate that the zero-day was also being exploited in the wild when it first disclosed the vulnerability and urged users to fix it manually, Google TAG's Maddie Stone revealed that the vulnerability was discovered while being exploited in a targeted attack…On Wednesday, two weeks after the initial advisory was published, the company released ZCS 10.0.2, a version that also fixes the CVE-2023-38750 bug, which ‘could lead to exposure of internal JSP and XML files’” (Bleeping Computer, 2023).

Security Officer Comments:
Although not many details were disclosed regarding the active exploitation of CVE-2023-38750, similar flaws in Zimbra have been exploited in the past to target government agencies. In particular, Winter Vivern Russian hacking group has exploited another Zimbra XSS bug since February 2023 to breach NATO-aligned governments’ webmail portals, effectively allowing the actors to steal the emails of government officials military personnel, and diplomats.

Suggested Correction(s):
In light of the exploitation attempts, CISA is urging federal agencies until August 17 to patch vulnerable ZCS email servers on their networks to prevent potential attacks.

Link(s):
https://www.bleepingcomputer.com/