|Category: Vulnerability Intelligence||Vulnerability Class: Remote Code Execution||CVE ID: CVE-2022-30333||CVSS:3.0 Score: 7.5|
- CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
- CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
- Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
- The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
- Zimbra 9.0.0 patch 24 and earlier
- Zimbra 8.8.15 patch 31 and earlier
- A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
- Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
- Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.
- Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
- CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
- Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
- The emails sent out in the spear-phishing campaign were frequently formatted as follows:
- A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.
- An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
- Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
- The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.
- The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
- The attacker provides a target along with some file data as input.
- The code generates a .rar that will exploit the vulnerability and extract the file to that location.
|hxxp://fireclaws.spiritfield[.]ga/.jpeg?[integer] hxxp://feralrage.spiritfield[.]ga/.jpeg?[integer]||hxxp://oaksage.spiritfield[.]ga/.jpeg?[integer] hxxp://claygolem.spiritfield[.]ga/.jpeg?[integer]|
|188.8.131.52 184.108.40.206||220.127.116.11 18.104.22.168|
|Amazon-check[.]cf Bruising-intellect[.]ml Chargedboltsentry.spiritfield[.]tk||Mail.bruising-intellect[.]ml Tigerstrike.iceywindflow[.]ml|
- #Traffic Light Protocol - Wikipedia
- Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra | Volexity
- CVE STALKER -The most viral CVE(vulnerability) ranking chart-
- Unrar Path Traversal Vulnerability affects Zimbra Mail (sonarsource.com)