Zimbra Zero-Day Demands Urgent Manual Update

Teams running the Zimbra Collaboration Suite version 8.8.15 are urged to apply a manual fix against a recently discovered zero-day vulnerability that’s being actively exploited in the wild.

The Zimbra cloud suite offers email, calendar functions, and other enterprise collaboration tools. The vulnerability compromises the security of data on Zimbra servers, the company said in its security advisory.

“A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced,” the company said. “We take this matter very seriously and have already taken immediate action to address the issue.”

The reflected cross-site scripting (XSS) vulnerability was discovered by Google Threat Analysis Group (TAG) researcher Clément Lecigne. Fellow TAG researcher Maddie Stone confirmed the Zimbra zero-day is being targeted in the wild in a July 13 tweet. 

No Automatic Patch Yet

Although Zimbra has a fix, it won’t roll out automatically until its scheduled July update, which is why the company is asking customers to manually apply a fix to all mailbox nodes.

The company urges its users take the following steps:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Edit this file and go to line number 40
3. Update the parameter value as below
   <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>
4. Before the update, the line appeared as below
   <input name=”st” type=”hidden” value=”${param.st}”/>
5. After the update, the line should appear as below:
   <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>

Zimbra added in its security advisory that a service restart is not required. 

Zimbra: A Popular Cybercriminal Target

The risk for not patching is real: Zimbra products are popular among advanced persistent threat (APT) and other cyber-threat groups. Earlier this year, the North Korean government was discovered using a Zimbra zero-day vulnerability to spy on a collection of medical and energy sector organizations. Months earlier, in late 2022, threat actors were discovered actively exploiting a a remote code execution vulnerability in Zimbra email servers.

Last November, the Cybersecurity and Infrastructure Security Agency (CISA) issued a blanket warning that if enterprises were running Zimbra collaboration suites, they should assume they have been compromised.