Zimbra Collaboration Suite Email Server Unauthenticated RCE
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
Sigma rule (View on GitHub)
1title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
2id: dd218fb6-4d02-42dc-85f0-a0a376072efd
3status: test
4description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
5references:
6 - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
7 - https://www.yang99.top/index.php/archives/82/
8 - https://github.com/vnhacker1337/CVE-2022-27925-PoC
9author: '@gott_cyber'
10date: 2022/08/17
11modified: 2023/01/02
12tags:
13 - attack.initial_access
14 - attack.t1190
15 - cve.2022.27925
16 - detection.emerging_threats
17logsource:
18 category: webserver
19detection:
20 selection_servlet:
21 cs-method: 'POST'
22 cs-uri-query|contains: '/service/extension/backup/mboximport\?'
23 cs-uri-query|contains|all:
24 - 'account-name'
25 - 'ow'
26 - 'no-switch'
27 - 'append'
28 sc-status:
29 - 401
30 - 200
31 selection_shell:
32 cs-uri-query|contains: '/zimbraAdmin/'
33 cs-uri-query|endswith: '.jsp'
34 sc-status|contains: '200'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: medium
References
-
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.] In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24. Figure 1. Description of CVE-2022-27925 from the NIST website Initial research into the vulnerability did not uncover any public exploit code, but since a patch had been available for several months, it was reasonable that exploit code could have been […]
Read More -
漏洞信息Zimbra 官方通报了一个 RCE 漏洞 CVE-2022-27925ZIP 压缩包解析导致路径穿越类型的漏洞影响版本 v8.8.15 P30-v9.0.0 P23环境搭建系统:U...
Read More -
Zimbra RCE simple poc. Contribute to vnhacker1337/CVE-2022-27925-PoC development by creating an account on GitHub.
Read More
Related rules
- CVE-2021-21972 VSphere Exploitation
- CVE-2021-21978 Exploitation Attempt
- CVE-2021-33766 Exchange ProxyToken Exploitation
- CVE-2023-46747 Exploitation Activity - Proxy
- CVE-2023-46747 Exploitation Activity - Webserver