Tag Archives: Eset

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability

About Cross Site Scripting - Zimbra Collaboration (CVE-2024-27443) vulnerability

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability. Zimbra Collaboration is a collaboration software suite that includes a mail server and a web client. An attacker can send an email containing a specially crafted calendar header with an embedded payload. If the user opens the email in the classic Zimbra web interface, the malicious JavaScript code will be executed in the context of the web browser window.

The vulnerability was fixed on February 28, 2024. As with the MDaemon vulnerability, exploitation of this vulnerability in the wild was reported by ESET researchers (Operation “RoundPress”). They discovered attacks in 2024, after the patch had already been released. The malicious code allowed attackers to steal credentials, extract contacts and settings, and gain access to email messages.

ESET published information about the attacks and a PoC exploit only on May 15, 2025. 🤷‍♂️ The flaw was added to the CISA KEV catalog on May 19.

На русском

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

About Cross Site Scripting - MDaemon Email Server (CVE-2024-11182)

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182). An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server’s web interface, the malicious JavaScript code will execute in the context of the web browser window. This allows the attacker to steal credentials, bypass 2FA, and gain access to contacts and email messages.

On November 1, 2024, researchers from ESET discovered that the vulnerability was being exploited in the wild. They linked the exploitation of this and several other vulnerabilities in webmail interfaces (Roundcube: CVE‑2023‑43770, CVE‑2020‑35730; Zimbra: CVE‑2024‑27443; Horde) to a broader operation dubbed “RoundPress”.

MDaemon patched the vulnerability in version 24.5.1 (released Nov 14, 2024), but ESET disclosed attacks and a PoC exploit only on May 15, 2025. 🤷‍♂️ The flaw was added to the CISA KEV catalog on May 19.

На русском

About the “EvilVideo” vulnerability in Telegram for Android

About the EvilVideo vulnerability in Telegram for Android

About the “EvilVideo” vulnerability in Telegram for Android. The post was published on the ESET blog. They stated that the exploit is for sale on the Dark Net.

🔻 The attacker creates a payload, which is displayed in Telegram for Android not as a file, but as a video preview. By default, media files in Telegram are downloaded automatically when the user sees a message in a chat. This payload will also be downloaded automatically as well.
If the user clicks on the preview, he sees a Telegram error asking him to use an external media player.
If the user agrees, an attempt is made to install the APK.
If the user allows the installation of APK from Telegram and clicks on the preview again, a window appears to confirm the installation of the application.
If the user presses “install”, the malware installs. 👾
🎞 There is a video demo.

🔻 Fixed in 10.14.5, older versions are vulnerable.

This is far from 0click, but with good social engineering, the efficiency can be high.

На русском

Petya, M.E.Doc and the problem of trust

Petya, M.E.Doc and the problem of trust. I’ve already mentioned in “Petya the Great and why *they* don’t patch vulnerabilities“, that NotPetya ransomware seems trivial from Vulnerability Management point of view. It uses known Windows vulnerabilities, that were patched by Microsoft long time ago.

Despite of this, I was really interested in M.E.Doc (servers were confiscated by Ukrainian police and website is not operational) role in the initial phase of malware spreading. In my opinion, we have a pretty interesting example of an attack vector, that will be very hard to detect and mitigate. And moreover, it’s once again shows that protected perimeter won’t be a panacea anymore.

m.e.doc

M.E.Doc – My Electronic Document Circulation System. “m.e.doc” sounds like the word, that mean “honey” in Russian and Ukrainian. That’s why all these bees in promo materials.

M.E.Doc is an Document Circulation System very popular in Ukraine. It makes possible to send reports to the government authorities in electronic form. It can be used in any organization. I can even imagine situation when usage of this kind of software may be even mandatory. Now the researchers [Eset, Dr.Web] say that M.E.Doc servers sent updates with backdoors  to the customers.

This backdoor has abilities:

  • Data collection for accessing mail servers
  • Arbitrary commands execution in the infected system
  • Running any executables
  • Downloading arbitrary files to the infected computer
  • Uploading arbitrary files to a remote server
  • Identify the exact organization using EDRPOU number.

I don’t really care about technical details about this backdoor. For me it’s enough that malicious code was on official server of the vendor and was spread to legitimate customers. Boom!

Continue reading