Conclusion
The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible. These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.
The exploitation of CVE-2023-37580 comes on the heels of CVE-2022-24682, another reflected XSS vulnerability in Zimbra mail servers that was actively exploited in-the-wild in 2022 and is followed by the exploitation of CVE-2023-5631, a XSS vulnerability in Roundcube mail servers just this past month. The regular exploitation of XSS vulnerabilities in mail servers also shows a need for further code auditing of these applications, especially for XSS vulnerabilities.
We’d like to acknowledge Zimbra for their response and patching of this vulnerability. Following our disclosure policy, TAG shares its research to raise awareness and advance security across the ecosystem. We also add all identified websites and domains to Safe Browsing to safeguard users from further exploitation. We urge users and organizations to apply patches quickly and keep software fully up-to-date for their protection. TAG will remain focused on detecting, analyzing, and preventing 0-day exploitation as well as reporting vulnerabilities to vendors immediately upon discovery.