CVE-2023-37580

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform deployed globally across government agencies, diplomatic missions, military organisations, and enterprises. Its Classic Web Client is a browser-based webmail interface that processes incoming messages, including URL parameters used for navigation and request routing. CVE-2023-37580 exposes one such parameter — the st parameter — as a reflected XSS injection point, allowing an attacker to craft a malicious URL that, when clicked, executes JavaScript in the context of the victim's authenticated Zimbra session.

Overview

CVE-2023-37580 is a reflected cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite 8 prior to 8.8.15 Patch 41. A URL parameter in the Classic Web Client is injected directly into the HTML page without escaping, allowing an attacker to craft a malicious Zimbra URL that executes JavaScript in the victim's authenticated session when clicked. The attack is delivered via email or any other vector that can place a crafted URL in front of the target.

Affected Versions

Technical Details

The vulnerability is in the Classic Web Client URL routing logic. The st URL parameter — used to specify a state or navigation target within the webmail interface — is embedded directly into the HTML of the rendered page without HTML-entity encoding. An attacker crafts a URL containing JavaScript in the st parameter; when a victim clicks the link and the Classic Web Client renders the page, the script executes in the context of the victim's authenticated session.

Example of the injection mechanism (simplified):

https://zimbra-server/zimbra/?st=<script>/* attacker payload */</script>

The st parameter's value is reflected back into the response without sanitization, triggering execution.

Attack characteristics:

• Authentication required: No — the attacker sends a crafted URL; no prior access to Zimbra is needed
• User interaction: Required — victim must click the malicious Zimbra link
• Delivery method: Spear-phishing email containing a link to the victim's own Zimbra server
• Execution context: Victim's authenticated Zimbra session — attacker script accesses session cookies, email data, contacts, and authentication tokens
• Scope: Changed — the exploit runs in a different security context (the victim's browser session) than the attacker's origin

What the fix does: Zimbra's patch escapes the contents of the st parameter before injecting it into the HTML response, preventing script execution. The fix was committed to the public Zimbra GitHub repository before an official advisory was issued — making the vulnerability's technical details visible to threat actors monitoring the repository.

Discovery

CVE-2023-37580 was discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG). Google TAG identified the vulnerability after observing exploitation in the wild during their ongoing monitoring of government-targeting campaigns. Google TAG published a public analysis of the four exploitation campaigns in November 2023, providing the most comprehensive public attribution of XSS exploitation against government webmail servers on record.

Exploitation Context

Google TAG documented four separate nation-state exploitation campaigns using CVE-2023-37580 across a ten-week period from late June to late August 2023. Three of the four campaigns began before the official Zimbra patch was released on July 25, 2023 — the initial campaigns exploited the vulnerability as a zero-day. The fourth campaign, attributed to a Pakistan-linked group, began after the patch was public, indicating that post-patch exploitation continued as organisations delayed updating.

Winter Vivern (UAC-0114) is a threat actor attributed by multiple security firms to Belarusian intelligence services. It had previously targeted Ukrainian, Polish, and European government entities. CVE-2023-37580 represented an expansion to Moldova and Tunisia — specifically targeting government webmail accounts likely held by foreign ministry and diplomatic personnel.

A critical observation from Google TAG: "Most of this activity occurred after the initial fix became public on GitHub." The fix was merged to the public Zimbra GitHub repository before the official security advisory was published — making the vulnerability's existence and the patch's intent visible to any attacker monitoring the repository. Three independent groups were exploiting the zero-day when the fix appeared on GitHub; the fourth group appears to have picked it up after seeing the public fix. This demonstrates the importance of coordinated disclosure and the risk of publishing patches without simultaneous security advisories.

Remediation

1. Upgrade to ZCS 8.8.15 Patch 41 or later immediately. The fix is a single-parameter escaping change; upgrading is the only durable mitigation.
2. Warn users about phishing emails containing Zimbra webmail links from external sources. Reflected XSS requires the victim to click a crafted URL — user awareness is a secondary layer of defense.
3. Monitor for anomalous authenticated webmail activity following receipt of emails containing links to the Zimbra server itself. Look for unexpected API calls, session events from unexpected source IPs, or email filter rules created shortly after clicking an internal-looking link.
4. Review and invalidate active sessions on the server post-patch if the exploitation window may have overlapped with active sessions. Unexpired sessions may still be usable by attacker-held stolen cookies.
5. Consider migrating to the Modern UI (Iris) for high-value users — all confirmed exploitation of CVE-2023-37580 targeted the Classic Web Client.