The Kaspersky logo is seen on Nov. 21, 2019, in Venice, Italy. (Photo by Tristan Fewings/Getty Images for Kaspersky)

Researchers with Kaspersky said they expect a third wave of attacks on unpatched servers after a recent proof of concept for a vulnerability that could allow remote code execution in Zimbra has been added to the Metasploit Project.

Zimbra, a software suite of collaboration tools for enterprises, issued a patch for the vulnerability in May, two months after it was first reported by researchers at SonarSource. 

But according to Kaspersky, two successive attack waves came in September, the first one targeting government servers in Asia and a second wave that was larger in scope on Sept. 30 that went after “all vulnerable services located in specific Central Asian countries.”

“On October 7, 2022, a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers,” Kaspersky researchers posted to its blog, SecureList

Metasploit provides information on vulnerabilities and aids in penetration testing.

Zimbra acknowledged that the vulnerability, tracked as CVE-2022-41352, comes from its antivirus engine using the cpio utility to scan inbound emails. The cpio utility has a flaw, CVE-2015-1197, that lets hackers create an archive that could access any files within Zimbra.

Kaspersky recommended security teams update devices with the patch that Zimbra released, said teams should install pax on the machine hosting the Zimbra installation to prevent the vulnerability from being exploitable if they couldn’t install the patch.

The Cybersecurity and Infrastructure Security Agency (CISA) added the Zimbra RCE to its list of Known Exploited Vulnerabilities Catalog in August and all U.S. federal agencies were mandated to address the vulnerability. The software suite is used by over 200,000 businesses, including the U.S., according to the vendor.