A new zero-day vulnerability affecting Zimbra has been exploited to hack more than 1,000 enterprise email servers, according to incident response firm Volexity. In July and early August, Volexity was called in to investigate several Zimbra Collaboration Suite breaches. The company’s analysis showed that the attackers had most likely exploited CVE-2022-27925, a remote code execution vulnerability in Zimbra that the vendor patched in March 2022. The problem was that exploitation of CVE-2022-27925 requires admin credentials, which makes mass exploitation less likely. In addition, there was no indication that the attackers had managed to obtain the required credentials. Further analysis showed that it was possible to bypass authentication when accessing the same endpoint used by CVE-2022-27925. The findings were reported to Zimbra, which patched the authentication bypass vulnerability at the end of July with the release of versions 9.0.0P26 and 8.8.15P33.