CVE-2022-41352
published 2022-09-26CVE-2022-41352: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-11-10
Exploited in the wild
EPSS
95.48%
99.9th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
HEUR:Exploit.Multi.CVE-2022-41352.gen
- →Check for JSP webshells dropped in the Zimbra public web directory at known attacker-used paths, including typo-squatted filenames such as 'ResourcesVerificaton.jsp' (missing 'i') and 'seachx.jsp' (missing 'r'). ↗
- →Exploitation is delivered via a malicious Tar archive attached to an inbound e-mail; monitor Amavis/cpio activity for path-traversal writes outside expected temp directories. ↗
- →The Metasploit module creates a .tar file that is emailed to the Zimbra server; alert on inbound emails with .tar attachments that result in new file creation under the Zimbra webroot. ↗
- →Red Hat-based and CentOS systems without pax installed are vulnerable; Ubuntu systems are not affected because pax is installed by default. Prioritize detection on RHEL/CentOS/Oracle/Rocky Linux Zimbra deployments. ↗
- →A proof of concept was added to Metasploit on October 7, 2022; expect broad opportunistic exploitation from that date onward and correlate Zimbra server compromise events to this timeline. ↗
- ·pax is a prerequisite on Ubuntu Zimbra installations (not vulnerable) but is absent from default RHEL/CentOS installations after version 6, making those systems vulnerable by default. ↗
- ·Removing a discovered webshell is insufficient for remediation; the attacker will have had access to Zimbra service-account credentials stored in configuration files, which can be used to regain access. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
cisa·2022-10-20·CVSS 9.8
CVE-2022-41352 [CRITICAL] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.
Required Action: Apply updates per vendor instructions.
Notes: https://wiki.zimbra.com/wiki/Security_Center; https://nvd.nist.gov/vuln/detail/CVE-2022-41352
Remediation Due Date: 2022-11-10
GHSA
GHSA-85q4-vgvj-3q28: An issue was discovered in Zimbra Collaboration (ZCS) 8
ghsa_unreviewed·2022-09-27
CVE-2022-41352 [CRITICAL] CWE-22 GHSA-85q4-vgvj-3q28: An issue was discovered in Zimbra Collaboration (ZCS) 8
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-41352 [CRITICAL] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.group-ib.com/blog/bablock-ransomware/; https://sosintel.co.uk/flash-alert-cves-of-note-being-exploited-in-the-wild/; https://go.recordedfuture.com/hubfs/reports/cta-2024-0208.pdf; https://rt-solar.ru/solar-4rays/blog/4333/; https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4"; flow:established,to_server; file.data; content:"070707"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039143; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6"; flow:established,to_server; file.data; content:"|c7 71|"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039145; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2"; flow:established,to_server; file.data; content:"2"; depth:330; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; content:"ustar"; within:70; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039142; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1"; flow:established,to_server; file.data; content:"2"; depth:330; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; content:"ustar"; within:70; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039141; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5"; flow:established,to_server; file.data; content:"|c7 71|"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039146; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8"; flow:established,to_server; file.data; content:"|ed ab ee db|"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039148; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3"; flow:established,to_server; file.data; content:"070707"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039144; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7
suricata·2022-10-11·CVSS 9.8
CVE-2022-41352 [CRITICAL] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7"; flow:established,to_server; file.data; content:"|ed ab ee db|"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039147; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Metasploit
TAR Path Traversal in Zimbra (CVE-2022-41352)
metasploit·CVSS 1.9
CVE-2022-41352 [LOW] TAR Path Traversal in Zimbra (CVE-2022-41352)
TAR Path Traversal in Zimbra (CVE-2022-41352)
This module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command- line utlity that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions: * Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier) * Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier) The patch simply makes "pax" a pre-requisite.
Nuclei
Zimbra Collaboration - Unrestricted File Upload
nuclei·CVSS 9.8
CVE-2022-41352 [CRITICAL] Zimbra Collaboration - Unrestricted File Upload
Zimbra Collaboration - Unrestricted File Upload
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Template:
id: CVE-2022-41352
info:
name: Zimbra Collaboration - Unrestricted File Upload
author: rxerium
severity: critical
description: |
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitra
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
BadPilot network hacking campaign fuels Russian SandWorm attacks
blogs_bleepingcomputer·2025-02-12
BadPilot network hacking campaign fuels Russian SandWorm attacks
## BadPilot network hacking campaign fuels Russian SandWorm attacks
## Bill Toulas
A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
The threat actor has been active since at least 2021 and is also responsible for breaching networks of organizations in energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors.
Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over.
"We have also observed the initial access subgroup
Qualys
Qualys Research Team: Threat Thursdays, October 2022
blogs_qualys·2022-10-28
Qualys Research Team: Threat Thursdays, October 2022
## Table of Contents
From the Qualys Blog
New Tools & Techniques
New Vulnerabilities
Noteworthy Mentions
Threat Thursdays Webinar
Welcome to the third edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our second edition, Qualys Threat Research Thursday , is more than welcome. We would love to hear from you!
## From the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform – How do you detect the ProxyNotShell vulnerability that was released a month a
Qualys
Qualys Research Team: Threat Thursdays, October 2022 | Qualys
blogs_qualys·2022-10-28·CVSS 7.8
[HIGH] Qualys Research Team: Threat Thursdays, October 2022 | Qualys
#### Table of Contents
- From the Qualys Blog
- New Tools & Techniques
- New Vulnerabilities
- Noteworthy Mentions
- Threat Thursdays Webinar
Welcome to the third edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our second edition, Qualys Threat Research Thursday, is more than welcome. We would love to hear from you!
## From the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform – How do you detect the ProxyNotShell vulnerability that was released
Checkpoint
17th October – Threat Intelligence Report
blogs_checkpoint·2022-10-17
CVE-2022-41352 17th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Guacamaya hacking group claim to have breached the Attorney General of Colombia, and leaked massive amount of data that revealed identities and methods of Australian Federal Police secret agents working to stop major drug importations to Australia. The breached data includes five million emails and tens of thousands of do
Securelist
Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
blogs_securelist·2022-10-13·CVSS 1.9
CVE-2022-41352 [LOW] Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
Table of Contents
- Overview
- Vulnerability details
- Mitigation
- Detection
- Remediation
Authors
- GReAT
## Overview
On September 10, 2022, a user reported on Zimbra’s official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary files to up-to-date servers. At the moment, Zimbra has released a patch and shared its installation steps. In addition, manual mitigation steps can be undertaken by system administrators to prevent successful exploitation (see below).
Kaspersky investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of wh
Securelist
Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
blogs_securelist·2022-10-13·CVSS 1.9
[LOW] Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
Table of Contents
Overview
Vulnerability details
Mitigation
Detection
Remediation
Authors
GReAT
## Overview
On September 10, 2022, a user reported on Zimbra’s official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary files to up-to-date servers. At the moment, Zimbra has released a patch and shared its installation steps. In addition, manual mitigation steps can be undertaken by system administrators to prevent successful exploitation (see below).
Kaspersky investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is sy
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
#### Table of Contents
- Microsoft Patch Tuesday Summary
- Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
- The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
- Two Zero-Day Vulnerabilities Addressed
- Microsoft Critical Vulnerability Highlights
- Microsoft Release Summary
- Microsoft Edge | Last But Not Least
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Research Blog Posts
- Qualys Threat Protection High-Rated Advisories
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
- Rapid Response With Patch Management (PM)
- EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
- EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
- This Month
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
## Table of Contents
Microsoft Patch Tuesday Summary
Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
Two Zero-Day Vulnerabilities Addressed
Microsoft Critical Vulnerability Highlights
Microsoft Release Summary
Microsoft Edge | Last But Not Least
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Research Blog Posts
Qualys Threat Protection High-Rated Advisories
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
Rapid Response With Patch Management (PM)
EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
This Month in Vulnerabilities
Checkpoint
10th October – Threat Intelligence Report
blogs_checkpoint·2022-10-10
CVE-2022-41352 10th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
CommonSpirit Health, the second-largest nonprofit hospital chain in the U.S with 140 hospitals and over 1,000 facilities in 21 states, suffered a cybersecurity incident that disrupted medical services across the country. Facilities in Iowa, Nebraska, Tennessee and Washington were among those affected. The nature of the at
http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.htmlhttps://forums.zimbra.org/viewtopic.php?t=71153&p=306532https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.htmlhttps://forums.zimbra.org/viewtopic.php?t=71153&p=306532https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41352
2022-09-26
Published
2022-10-20
Added to CISA KEV
Exploited in the wild