Researchers have offered more insight to the unpatched critical remote code execution (RCE) vulnerability in Zimbra Collaboration Suite. The critical vulnerability – CVE-2022-41352 – was rated at 9.8 and was first publicly-acknowledged by Zimbra as actively exploited in the wild in mid-September.

In a blog post yesterday, Rapid7 researchers said because CISA and others recently warned of multiple threat actors leveraging other vulnerabilities in Zimbra, it’s likely that threat actors would “logically move to exploit” CVE-2022-41352, this latest unpatched vulnerability.

The Rapid7 researchers explained that the vulnerability was caused because Zimbra’s antivirus engine uses the cpio utility to scan inbound emails. The cpio utility has a flaw that would let hackers create an archive that could access any files within Zimbra. Researchers at Zimbra posted a workaround in a blog on September 14, which recommended install the pax utility and restart Zimbra services. 

John Bambenek, principal threat hunter at Netenrich, explained that this vulnerability works by mailing a malicious compressed archive file (.cpio, .tar, or .rpm) that would then overwrite system files with the permission of the running Zimbra service. He said it relies on cpio and an unfixed vulnerability, so Zimbra is moving to use a more secure alternative.

“As mail servers inherently are receiving untrusted communication from the internet, every installation, particularly those on Red Hat-based operating systems, are vulnerable to attackers simply sending messages and dropping files on their file systems,” Bambenek said. “Users can install pax instead on vulnerable systems and restart their mailserver to mitigate the threat.”