Unpatched Zimbra RCE bug used by hackers CVE-2022-41352

What is CVE-2022-41352 and why is it so dangerous?

This vulnerability was discovered in the cpio archive unpacking utility, which is used by the Amavis content filter, which in turn is part of the Zimbra Collaboration package. Attackers can create a malicious .tar archive with a web shell inside and send it to a server with vulnerable Zimbra Collaboration software. When the Amavis filter starts checking this archive, it calls the cpio utility, which unpacks the web shell into one of the public directories. Then the criminals only have to launch their web shell and start executing arbitrary commands on the attacked server. In other words, this vulnerability is similar to the vulnerability in the tarfile module.

Vulnerable product versions: Zimbra Collaboration (ZCS) 8.8.15 and 9.0.

Last Thursday, Rapid7 published technical information about the vulnerability and also shared exploit code for a proof of concept and indicators of compromise (IoCs) that corporate defenders can use.