Zimbra patches zero-day vulnerability exploited in XSS attacks

Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers.

Now tracked as CVE-2023-38750, the security flaw is a reflected Cross-Site Scripting (XSS) discovered by security researcher Clément Lecigne of Google Threat Analysis Group.

XSS attacks pose a significant threat, allowing threat actors to steal sensitive information or execute malicious code on vulnerable systems.

While Zimbra did not indicate that the zero-day was also being exploited in the wild when it first disclosed the vulnerability and urged users to fix it manually, Google TAG's Maddie Stone revealed that the vulnerability was discovered while being exploited in a targeted attack.

"To maintain the highest level of security, we kindly request your cooperation to apply the fix manually on all of your mailbox nodes," Zimbra said at the time, asking admins to mitigate the security bug manually.

On Wednesday, two weeks after the initial advisory was published, the company released ZCS 10.0.2, a version that also fixes the CVE-2023-38750 bug, which "could lead to exposure of internal JSP and XML files."

Another reflected Zimbra XSS bug was exploited since at least February 2023 by the Winter Vivern Russian hacking group to breach NATO-aligned governments' webmail portals and steal the emails of government officials, military personnel, and diplomats.

Federal agencies asked to patch within three weeks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned U.S. federal agencies today to secure their systems against CVE-2023-38750 attacks.

The agency added this vulnerability to its Known Exploited Vulnerabilities catalog, which mandates Federal Civilian Executive Branch Agencies (FCEB) to patch vulnerable ZCS email servers on their networks according to the binding operational directive (BOD 22-01) issued in November 2021.

CISA has also set a deadline of three weeks for compliance, ordering them to mitigate the flaw on all unpatched devices by August 17th.

Although the catalog primarily focuses on U.S. federal agencies, private companies are also strongly advised to prioritize and implement patches for all vulnerabilities listed in CISA's catalog of exploited bugs.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

This Tuesday, CISA also ordered U.S. federal agencies to address an auth bypass bug in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, which was abused as a zero-day to hack a software platform used by 12 Norwegian ministries.