Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS

Zimbra addressed a zero-day vulnerability exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers.

Two weeks ago Zimbra urged customers to manually install updates to fix a zero-day vulnerability, now tracked as CVE-2023-38750, that is actively exploited in attacks against Zimbra Collaboration Suite (ZCS) email servers.

Zimbra Collaboration Suite is a comprehensive open-source messaging and collaboration platform that provides email, calendaring, file sharing, and other collaboration tools. It was developed by Zimbra, Inc

The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. The primary task of the Google TAG is to investigate and mitigate targeted and sophisticated cyber threats, including state-sponsored hacking and hacking groups involved in coordinated attacks.

Almost any vulnerability reported by Google TAG in the past was part of exploits used by APT groups in targeted attacks. The popular security researcher Maddie Stone from Google TAG confirmed that this issue was used by an APT group too.

Zimbra this week released version ZCS 10.0.2 which also addressed the vulnerability.

“The release includes security fixes for a bug that could lead to exposure of internal JSP and XML files has been fixed” reads the advisory.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to fix this flaw by August 17, 2023.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” reads the CISA’s announcement. 

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)