The U.S. Cybersecurity and Infrastructure Security Company (CISA) on Thursday additional a lately disclosed significant-severity vulnerability in the Zimbra email suite to its Acknowledged Exploited Vulnerabilities Catalog, citing evidence of lively exploitation.
The issue in concern is CVE-2022-27924 (CVSS rating: 7.5), a command injection flaw in the platform that could guide to the execution of arbitrary Memcached instructions and theft of delicate information.
“Zimbra Collaboration (ZCS) lets an attacker to inject memcached instructions into a targeted instance which brings about an overwrite of arbitrary cached entries,” CISA reported.
Particularly, the bug relates to a circumstance of insufficient validation of person input that, if efficiently exploited, could empower attackers to steal cleartext qualifications from end users of targeted Zimbra cases.
The issue was disclosed by SonarSource in June, with patches introduced by Zimbra on Might 10, 2022, in versions 8.8.15 P31.1 and 9.. P24.1.
CISA hasn’t shared technical facts of the attacks that exploit the vulnerability in the wild and has still to attribute it to a certain menace actor.
In the light-weight of active exploitation of the flaw, buyers are encouraged to apply the updates to the software package to lessen their exposure to potential cyberattacks.
Found this write-up appealing? Adhere to THN on Fb, Twitter and LinkedIn to read through far more exceptional content material we publish.
Some parts of this article are sourced from:
thehackernews.com