CISA Urges Organizations to Patch Actively Exploited Zimbra XSS Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday introduced that it has expanded its Known Exploited Vulnerabilities Catalog with a zero-day lately recognized within the Zimbra electronic mail platform.

Tracked as CVE-2022-24682, the safety gap was made public on February 3, when Volexity warned that attacks exploiting it had been ongoing since December 2021.

Described as a cross-site scripting (XSS) vulnerability, the difficulty impacts model 8.8.15 and prior of the open-source electronic mail platform. According to Zimbra, roughly 200,000 organizations use its electronic mail server, together with greater than a thousand authorities and monetary establishments.

On February 5, Zimbra launched a patch to handle the vulnerability in Zimbra 8.8.15 P30, encouraging all customers to replace to the latest launch to stay protected.

On February 25, CISA added the security flaw to its “Must-Patch” checklist, encouraging federal companies to apply the out there patch by March 11 – as per Binding Operational Directive (BOD) 22-01, companies are given two weeks to handle latest vulnerabilities which are added to the catalog.

[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]

The company additionally introduced that three different vulnerabilities have been added to the checklist, although all of them are older points. All three have an effect on Microsoft merchandise.

The first of those is CVE-2017-8570, a distant code execution vulnerability within the Office suite that has been exploited in attacks for greater than 4 years, together with by the China-based menace actor tracked as KeyBoy.

Next in line is CVE-2017-0222, a reminiscence corruption flaw in Internet Explorer that permits attackers to obtain distant code execution on a susceptible system.

When addressing the bug in May 2017, Microsoft warned of ongoing attacks exploiting it, however supplied no technical particulars on the noticed exploitation.

In July 2017, nonetheless, the corporate introduced patches for Windows XP to handle important vulnerabilities for which the hacking group often known as the Shadow Brokers leaked exploits allegedly stolen from the NSA-linked Equation Group. CVE-2017-0222 was one in every of these flaws.

The fourth vulnerability CISA added to its Must-Patch checklist on Friday is CVE-2014-6352, a Windows Object Linking and Embedding (OLE) that was already being exploited in assaults when Microsoft patched it in November 2014.

Federal companies have till August 25 to apply patches for these three vulnerabilities, supplied they haven’t addressed them already.

Private corporations have additionally been suggested to prioritize patching of the vulnerabilities added to the Known Exploited Vulnerabilities Catalog.

Related: CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool

Related: CISA Urges Organizations to Patch Recent Chrome, Magento Zero-Days

Related: CISA Urges Organizations to Patch Exploited Windows Vulnerability

Ionut Arghire is a global correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Related Posts