A critical zero-day vulnerability, known as CVE-2023-37580, has raised significant concerns regarding the Zimbra Collaboration email software. This flaw in the Zimbra Classic Web Client has been exploited by multiple hacker groups, resulting in the compromise of government emails and subsequent real-world attacks.

Overview of CVE-2023-37580:
CVE-2023-37580 is a reflected cross-site scripting (XSS) vulnerability with a severity score of 6.1 (CVSS). It affects Zimbra Collaboration Suite versions prior to 8.8.15 Patch 41. By successfully exploiting this vulnerability, attackers can execute malicious scripts on victims’ web browsers. They achieve this by initiating an XSS request to Zimbra and reflecting the attack back to the user.

Timeline of Exploitation:
The exploitation of CVE-2023-37580 was initially detected by Google’s Threat Analysis Group (TAG) in June 2023, well before Zimbra released an official advisory. The sequence of exploits unfolded as follows:

Importance of Timely Patching:

The significance of promptly applying patches to mail servers is underscored by the discovery of at least four distinct campaigns exploiting CVE-2023-37580. This is especially crucial for organizations that handle sensitive data. It is worth noting that three of these campaigns occurred even after the vulnerability fix was publicly disclosed on GitHub, highlighting the urgent need for quick mitigation measures.

CISA Inclusion in Known Exploited Vulnerabilities Catalog:

The seriousness of the situation is further emphasized by the inclusion of CVE-2023-37580 in the CISA Known Exploited Vulnerabilities Catalog. Users are strongly urged to apply the patch before August 17, as attackers continue to exploit this vulnerability in the wild.

Mitigation and Detection:

Zimbra has addressed the vulnerability in version 8.8.15 Patch 41. Organizations are advised to promptly install the fixes and regularly update their software for comprehensive protection. Security professionals can utilize detection rules, such as those provided by SOC Prime and Qualys, to identify and thwart exploitation attempts.

Conclusion:

The exploitation of CVE-2023-37580 in Zimbra Collaboration email software serves as a stark reminder of the evolving threat landscape. Organizations must remain vigilant, apply patches promptly, and employ robust cybersecurity measures to safeguard against such zero-day vulnerabilities. As the cybersecurity community continues to grapple with emerging threats, collaboration and proactive defense strategies become imperative to stay one step ahead of malicious actors.

Reference:

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P41