Kaspersky researchers said they expect a third wave of attacks on unpatched servers after a recent proof-of-concept vulnerability that could allow remote code execution in Zimbra was added to the project Metasploit.
Zimbra, a software suite of enterprise collaboration tools, released a patch for the vulnerability in May, two months after it was first reported by SonarSource researchers.
But according to Kaspersky, two successive waves of attacks occurred in September, the first targeting government servers in Asia and a larger second wave on September 30 that attacked “all vulnerable services located in specific countries. of Central Asia”.
“On October 7, 2022, a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive, global exploitation by even unsophisticated attackers,” Kaspersky researchers said on their blog, SecureList.
Metasploit provides information on vulnerabilities and facilitates penetration testing.
Zimbra acknowledged that the vulnerability, tracked as CVE-2022-41352, comes from its antivirus engine using the cpio utility to scan incoming emails. The cpio utility has a flaw, CVE-2015-1197, that allows hackers to create an archive that could access any file in Zimbra.
Kaspersky recommended that security teams update devices with the patch released by Zimbra, said teams should install pax on the machine hosting the Zimbra installation to prevent the vulnerability from being exploitable if they cannot install the patch.
The Cybersecurity and Infrastructure Security Agency (CISA) added the Zimbra RCE to its catalog list of known exploited vulnerabilities in August and all US federal agencies have been mandated to remediate the vulnerability. The software suite is used by more than 200,000 companies, including in the United States, according to the provider.