CVE-2022-27925
published 2022-04-21CVE-2022-27925: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with…
PriorityP191high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-01
Exploited in the wild
EPSS
98.16%
99.9th percentile
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP POST requests to the mboximport endpoint (path: /service/extension/backup/mboximport) returning HTTP 401 — exploitation succeeds even when the server returns 401 Unauthorized due to a missing return statement after the auth check. ↗
- →Use the Godzilla Webshell YARA rule (SHA-256: 2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe) to detect the JSP implementation of the Godzilla webshell dropped on compromised ZCS servers. ↗
- →Compare the current list of JSP files in the ZCS web directory against a known-good baseline to identify attacker-planted webshells. ↗
- →Flag POST requests to mboximport with URL parameters such as account-name, ow, and no-switch — these are the parameters an attacker sets to exploit the vulnerability without authentication. ↗
- ·The exploit succeeds even when the server returns HTTP 401 — defenders must not assume a 401 response to mboximport POST requests means the attack failed; the file may already have been written to disk. ↗
- ·The Open Source Edition of Zimbra Collaboration Suite is not affected; only Network Edition versions 9.0.0 Patch 23 and earlier, and 8.8.15 Patch 30 and earlier, are vulnerable. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9g5r-3vrr-xfcm: Zimbra Collaboration Suite (ZCS) 8
ghsa_unreviewed·2022-08-13·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-22 GHSA-9g5r-3vrr-xfcm: Zimbra Collaboration Suite (ZCS) 8
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
GHSA
GHSA-j5r7-6rm3-99mm: Zimbra Collaboration (aka ZCS) 8
ghsa_unreviewed·2022-04-22
CVE-2022-27925 [HIGH] CWE-22 GHSA-j5r7-6rm3-99mm: Zimbra Collaboration (aka ZCS) 8
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
vulncheck·2022·CVSS 7.2
CVE-2022-27925 [HIGH] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://assets.sentinelone.com/wt-reports/watchtower_202
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
vulncheck·2022·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-23 Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.sentinelone.com/wt-reports/watchtower_2022_eoy; https://cisa.gov/news-events/cybersecurity-advisories/aa22-228a; https://l
CISA
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
cisa·2022-08-11·CVSS 7.2
CVE-2022-27925 [HIGH] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/; https://nvd.nist.gov/vuln/detail/CVE-2022-27925
Remediation Due Date: 2022-09-01
CISA
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
cisa·2022-08-11·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-23 Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/; https://nvd.nist.gov/vuln/detail/CVE-2022-37042
Remediation Due Date: 2022-09-01
Suricata
ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
suricata·2022-08-12·CVSS 7.2
CVE-2022-27925 [HIGH] ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backup/mboximport/"; fast_pattern; http.request_body; content:"PK"; startswith; content:"../"; distance:20; within:500; reference:cve,2022-27925; reference:cve,2022-37042; classtype:attempted-admin; sid:2038504; rev:1; metadata:attack_target Server, created_at 2022_08_12, cve CVE_2022_27925_CVE_2022_37042, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
Nuclei
Godzilla Webshell Hash - Detect
nuclei·CVSS 7.2
CVE-2022-27925 [HIGH] Godzilla Webshell Hash - Detect
Godzilla Webshell Hash - Detect
Detects the JSP implementation of the Godzilla Webshell.
Template:
id: godzilla-webshell-hash
info:
name: Godzilla Webshell Hash - Detect
author: pussycat0x
severity: info
description: Detects the JSP implementation of the Godzilla Webshell.
reference:
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
tags: malware,webshells
file:
- extensions:
- all
matchers:
- type: dsl
dsl:
- "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'"
# digest: 4a0a00473045022076837eec80a696dd94820f09606d9c0b898df167062019438d6a524deae170e7022100e04494a4faf43442
Metasploit
Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
metasploit·CVSS 7.2
CVE-2022-27925 [HIGH] Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on the following versions of Zimbra: * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) Note that the Open Source Edition is not affected.
Nuclei
ReGeorg Webshell Hash - Detect
nuclei·CVSS 7.2
CVE-2022-27925 [HIGH] ReGeorg Webshell Hash - Detect
ReGeorg Webshell Hash - Detect
Detects the reGeorg webshells' JSP version.
Template:
id: regeorg-webshell-hash
info:
name: ReGeorg Webshell Hash - Detect
author: pussycat0x
severity: info
description: Detects the reGeorg webshells' JSP version.
reference:
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
- https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp
tags: malware,webshells
file:
- extensions:
- all
matchers:
- type: dsl
dsl:
- "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"
# digest: 490a004630440220526fa19e306c7a67f8dc2fa322983b84af7ed269fc4a26a115e6ff5235044951022016acfd0a2c4f3278f9f31b2732f8bd87650751d8d696aff
Nuclei
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2022-37042 [HIGH] Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Template:
id: CVE-2022-37042
info:
name: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
author: _0xf4n9x_,For3stCo1d
severity: critical
description: |
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtok
Hackernews
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Ne
Securelist
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
blogs_securelist·2026-06-24
CVE-2021-26855 StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Fareed Radzi
Table of Contents
Introduction
Initial infection
Exploitation of public-facing applications
Dropper-based distribution
SharkLoader installation
SharkLoader DLL – Main implant
“PerfectDLL Hijacking” technique
Decryption and loading of >DscCoreR.mui
DscCoreR.mui and SyncRes.dat DLLs
Decryption and loading of SyncRes.dat
SyncRes.dat decrypted DLL: Multiple API hooks
VEH registration and access violation handling
Thread creation for Cobalt Strike Beacon execution
MinHook DLL, API hooking, and Cobalt Strike beacon
Persistence mechanism
Post-compromise activity
Victimology
Attribution
Conclusion
Indicators of compromise
Authors
Fareed Radzi
## Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previo
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Tenable
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
blogs_tenable·2023-02-16
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
# Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-executio
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
## Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925 , a remote-code-execut
Recorded Future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
blogs_recorded_future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
# RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a
Greynoiseio
GreyNoise
blogs_greynoiseio·CVSS 7.2
[HIGH] GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlhttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttp://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlhttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27925
2022-04-21
Published
2022-08-11
Added to CISA KEV
Exploited in the wild