Zimbra Collaboration Suite Email Server Unauthenticated RCE
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
Sigma rule (View on GitHub)
1title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
2id: dd218fb6-4d02-42dc-85f0-a0a376072efd
3status: test
4description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
5references:
6 - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
7 - https://www.yang99.top/index.php/archives/82/
8 - https://github.com/vnhacker1337/CVE-2022-27925-PoC
9author: '@gott_cyber'
10date: 2022-08-17
11modified: 2023-01-02
12tags:
13 - attack.initial-access
14 - attack.t1190
15 - cve.2022-27925
16 - detection.emerging-threats
17logsource:
18 category: webserver
19detection:
20 selection_servlet:
21 cs-method: 'POST'
22 cs-uri-query|contains: '/service/extension/backup/mboximport\?'
23 cs-uri-query|contains|all:
24 - 'account-name'
25 - 'ow'
26 - 'no-switch'
27 - 'append'
28 sc-status:
29 - 401
30 - 200
31 selection_shell:
32 cs-uri-query|contains: '/zimbraAdmin/'
33 cs-uri-query|endswith: '.jsp'
34 sc-status|contains: '200'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: medium
References
-
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.] In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24. Figure 1. Description of CVE-2022-27925 from the NIST website Initial research into the vulnerability did not uncover any public exploit code, but since a patch had been available for several months, it was reasonable that exploit code could have been […]
Read More -
Zimbra RCE simple poc. Contribute to vnhacker1337/CVE-2022-27925-PoC development by creating an account on GitHub.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt