The Zimbra bug that infected the mail server when it scanned the attachment

One of the Zimbra bugs from 2022 has a detail worth leading with, because it inverts how email attacks usually work. You don’t phish anyone. You don’t get a user to open anything. You send the Zimbra mail server an email with a malicious RAR attachment, and the server, doing its job, automatically unpacks the archive to scan it for spam and malware. The unpacking uses a vulnerable copy of UnRAR (CVE-2022-30333), a directory-traversal flaw that lets the archive write files outside the extraction directory. The mail server infects itself in the act of inspecting the attack. That was one of four bugs that made Zimbra Collaboration Suite one of the most-exploited platforms of 2022, and the cluster is a clean lesson in why on-premise email is a top-tier target.

The cluster

CISA’s advisory AA22-228A documented threat actors, including multiple APTs, exploiting several ZCS bugs:

• CVE-2022-27925 + CVE-2022-37042 (unauthenticated RCE). CVE-2022-27925 is a directory traversal in the mboximport feature: an authenticated user uploads a ZIP archive whose entries escape the intended directory, writing a webshell. On its own it needs authentication. CVE-2022-37042 is an authentication bypass in the same mboximport endpoint, and chaining the two yields unauthenticated remote code execution. Volexity reported mass exploitation against more than 1,000 ZCS instances in August 2022.
• CVE-2022-27924 (memcached injection, credential theft). SonarSource found that an unauthenticated attacker could inject commands into Zimbra’s memcached, poison cached entries, and harvest user email credentials in cleartext, no interaction required. Zimbra fixed it in May 2022.
• CVE-2022-30333 (UnRAR traversal). The attachment-scanning bug above. Zimbra responded with a configuration change to use 7zip instead of unrar.

Zimbra shipped fixes across these in 8.8.15 and 9.0 patch levels through mid-2022.

Why email is the crown jewel

On-premise email and groupware servers are among the highest-value targets in any environment, and the reasons compound:

• Email is the master key. Password-reset links flow to email, so control of the mail server is a path to resetting and taking over accounts across every other system. It’s also where the sensitive conversations, attachments, and data already live.
• It’s internet-facing by necessity. Mail servers have to receive mail and serve webmail, so they’re exposed by design, and the webmail and import endpoints are reachable attack surface.
• It processes untrusted input automatically. The UnRAR bug is the sharp example: a mail server inspects every attachment that arrives, which means attacker-supplied files get processed without anyone choosing to open them. Automated content inspection is a feature that doubles as an attack surface.

Zimbra is the open-source groupware counterpart to Microsoft Exchange, and 2022 showed it draws the same caliber of attention, mass exploitation by ransomware and nation-state actors alike. If you run it, treat it with Exchange-level paranoia.

What to do

• Patch ZCS to current (8.8.15 / 9.0 patch levels past mid-2022 fixes, and beyond). Apply all of the cluster’s fixes; they landed across several patch levels through July-August 2022. Stay current, because Zimbra has continued to be targeted since.
• Assume compromise on instances exposed and unpatched in 2022. With over 1,000 instances mass-exploited and webshells the common outcome, an internet-facing server that lagged should be investigated, not assumed clean. Hunt for unexpected JSP/webshell files, the Zimbra/Java process spawning shells, and the credential-theft indicators from the memcached bug.
• Rotate credentials if the memcached bug was exploitable. CVE-2022-27924 leaked cleartext credentials; if you were exposed, treat user credentials as compromised and reset them, ideally with MFA added.
• Minimize internet exposure of admin and import endpoints, and front webmail with additional controls where you can.
• Mind the content-inspection surface. The UnRAR lesson generalizes: anything your mail or security stack auto-extracts and parses is processing attacker input. Keep those parsers patched and consider sandboxing attachment processing.

The reframe is to put on-premise email at the top of your patch-and-harden priority list and keep it there. It’s internet-facing, it’s the key to every account via password reset, and it auto-processes hostile input by design. Zimbra’s 2022 was the demonstration: a chain to unauthenticated RCE, a credential-stealing memcached bug, and an attachment-scanning flaw that compromised the server without a single click. Patch it like Exchange, watch it like Exchange, and assume the adversaries treating it as a crown jewel are right. We track the email and groupware entries with that weight, because the mail server is where so many intrusions either start or pay off.

Sources

• CISA AA22-228A: Threat actors exploiting multiple CVEs against Zimbra Collaboration Suite — 2022-08-16
• CISA Known Exploited Vulnerabilities Catalog
• Volexity: Mass exploitation of (un)authenticated Zimbra RCE CVE-2022-27925 — 2022-08-10
• SonarSource: Zimbra email, stealing clear-text credentials via memcache injection (CVE-2022-27924) — 2022
• Rapid7: Active exploitation of multiple vulnerabilities in Zimbra Collaboration Suite — 2022-08-17