Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite Email Server

Zimbra Collaboration Suite (ZCS) Email Server Has Zero-Day Remote Code Execution Vulnerability

The Zimbra Collaboration Suite (ZCS) email server has an unpatched zero-day remote code execution vulnerability that hackers are actively exploiting. The issue is reportedly being exploited by the Winter Vivern APT group to hack government agencies.

The vulnerability is a reflected cross-site scripting (XSS) flaw that allows attackers to gain access to victims’ accounts. Once inside, the attackers can exploit sensitive information and conduct Business Email Compromise (BEC) scams.


A remote unauthenticated attacker can exploit this vulnerability to gain unauthorized access to the server filesystem. The flaw could be used to steal confidential data, install ransomware or conduct Business Email Compromise (BEC) scams.

Rapid7 discovered the vulnerability in Zimbra Collaboration Suite as its antivirus engine, Amavis, uses cpio to extract archives received from emails. Zimbra says it plans to remove the dependency on cpio and make pax a requirement.


Zimbra published a manual fix for this critical cross-site scripting (XSS) vulnerability. It affects versions of the software prior to 8.8.15 Patch 41.

TAG has observed exploitation of this flaw in the wild. Two campaigns, one of which is attributed to the Winter Vivern group, breached government organizations in Moldova and Tunisia.

This vulnerability is easily exploited and should be addressed without delay.


At first glance, CVE-2023-36884 might seem like just another security vulnerability – a dime a dozen in today’s digital world. But this particular exploit is particularly dangerous because it allows attackers to bypass security defenses and take over the system.

Threat actors are actively leveraging this flaw in targeted attacks targeting mostly North American and European defense and government organizations. It’s also being chained with RCE bugs to spread ransomware and other malware.


A critical vulnerability has been discovered in Atlassian’s Jira Service Management Server and Data Center that can be exploited to impersonate users and access instances. The vulnerability is tracked as CVE-2023-22515 and has a CVSS score of 9.4.

Like an uncharted comet cutting through the space of cybersecurity, this remote code execution flaw orbits around the Apache RocketMQ NameServer component. The safe route lies in upgrading to version 5.1.2 and above.


A cross-site scripting vulnerability has been spotted in Zimbra Collaboration Suite version 8.8.15. The flaw allows hackers to gain remote code execution.

The vulnerability is based on a cpio loophole and can be exploited to extract emails, wipe information or conduct Business Email Compromise (BEC) scams. Zimbra released a patch and advised users to install it. A workaround is to use pax instead of cpio on vulnerable servers.


CVE-2023-37584 is a security vulnerability that allows attackers to bypass the SmartScreen warning prompt. Attackers who successfully exploit this vulnerability can disclose information (Confidentiality) and compromise the system.

Microsoft has released a patch for this vulnerability. To exploit this flaw, attackers would need to trick victims into clicking on a malicious URL. This vulnerability is rated critical. Microsoft has also provided mitigation guidance.


A vulnerability in the XFRM subsystem could allow a local attacker to cause a denial of service. The vulnerability is caused by a race condition that allows an attacker to dereference a NULL pointer. NVD lists this as a high severity vulnerability with an exploitability rating of high (AC:H). Products listed in the Affected Products table below have been thoroughly evaluated to determine whether they contain the impacted component.


CVE-2023-37586 is a security vulnerability that has been exploited in the wild. It is associated with a format string vulnerability that may allow an unauthenticated attacker to gain arbitrary code execution or disrupt service. This issue has been reported by Ivanti customers via Tarlogic and by the US CERT/CC. Listed products were found to include one or more components affected by this vulnerability.


CVE-2023-37587 is a security vulnerability that could allow attackers to bypass a Microsoft Publisher feature to download and execute a malicious file. If successfully exploited, an attack could lead to local escalation of privilege.

This is the third vulnerability patched by Microsoft in 2023 that could result in unauthorized disclosure of NTLM hashes. This flaw is being exploited in the wild.


A vulnerability has been identified in Zimbra Collaboration Suite (ZCS), a widely deployed email and calendar solution. The vulnerability impacts ZCS versions 8.8.15 through patch 41.

Attackers are exploiting the flaw in the wild. To mitigate, users should exercise caution with links and carefully scrutinize form input. Employing two-factor authentication also mitigates opportunities for attackers to breach systems and steal information.

Proceed further to know more