Security News > 2022 > February > Zimbra zero-day vulnerability actively exploited to steal emails
A cross-site scripting vulnerability in the Zimbra email platform is currently actively exploited in attacks targeting European media and government organizations.
Zimbra is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file sharing, and cloud storage capabilities.
Since exploitation started in December, Volexity has seen TEMP Heretic checking for live email addresses using reconnaissance emails with embedded remote images.
"Upon clicking the malicious link, the attacker infrastructure would attempt a redirect to a page on the targeted organization's Zimbra webmail host, with a specific URI format which-if the user is logged in-exploits a vulnerability allowing an attacker to load arbitrary JavaScript in the context of a logged-in Zimbra session," the researchers added.
The malicious code allowed the attackers to go through emails in the victims' mailboxes and exfiltrate email contents and attachments to attacker-controlled servers.
"Based on BinaryEdge data, approximately 33,000 servers are running the Zimbra email server, although the true number is likely to be higher."