A vulnerability in the Zimbra Collaboration Suite (ZCS) is now being leveraged to give threat actors access to servers. The flaw, tracked as CVE-2022-41352, is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server. The news was initially broken by Kaspersky who confirmed that nearly 900 servers have been hacked. When initially discovered, the flaw was labeled a zero-day that remained unpatched for almost two months. A patch was released shortly after a PoC was added to the Metasploit framework. Zimbra released ZCS 9.0.0 P27 which is believed to have fixed or replaced all the components that made the exploit possible. It is believed by Kaspersky that an unknown APT is running targeted campaigns that take advantage of unpatched systems.
Any systems that are still running older versions of ZCS should apply the updates or workarounds as soon as possible. If targeted threat campaigns are being carried out, unpatched systems will be obvious targets.