Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed two security flaws impacting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are as follows - CVE-2024-49035 (CVSS score: 8.7) - An improper access control
Analysis Summary
# Vulnerability: Microsoft & Zimbra Flaws Added to CISA KEV Catalog Due to Active Exploitation
## CVE Details
- CVE ID: CVE-2024-49035
- CVSS Score: 8.7 (High)
- CWE: Improper Access Control
- CVE ID: CVE-2023-34192
- CVSS Score: 9.0 (Critical, implied by CISA action and high score)
- CWE: Cross-Site Scripting (XSS)
## Affected Systems
- **Products:**
- Microsoft Partner Center
- Synacor Zimbra Collaboration Suite (ZCS)
- **Versions:**
- **CVE-2024-49035:** Not specified, but fixed in November 2024 updates.
- **CVE-2023-34192:** Versions prior to ZCS 8.8.15 Patch 40.
- **Configurations:**
- **CVE-2023-34192:** Requires an attacker to be a remote *authenticated* user.
## Vulnerability Description
**CVE-2024-49035 (Microsoft Partner Center):** An improper access control vulnerability that, if exploited, allows an attacker to achieve privilege escalation within the affected system.
**CVE-2023-34192 (Synacor ZCS):** A Cross-Site Scripting (XSS) vulnerability present in the `/h/autoSaveDraft` function. A remote, authenticated attacker can exploit this by crafting a malicious script which, upon execution, could lead to arbitrary code execution in the context of the user's browser session.
## Exploitation
- **Status (CVE-2024-49035):** Exploited in the wild. Microsoft acknowledged exploitation last year.
- **Status (CVE-2023-34192):** No public reports about in-the-wild abuse mentioned, but CISA has added it to KEV, indicating high risk.
- **Complexity:** Not explicitly detailed, but CVE-2024-49035 led to privilege escalation, and CVE-2023-34192 requires prior authentication.
- **Attack Vector:** Dependent on the specific flaw; remote code execution (XSS) suggests Network/Adjacent based on authentication requirement.
## Impact
Impact details were not explicitly scored beyond CVSS, but based on flaw types:
- **CVE-2024-49035:** High impact on Integrity (privilege escalation) and potentially Confidentiality.
- **CVE-2023-34192:** High impact across Confidentiality, Integrity, and Availability via session hijacking or client-side attacks.
## Remediation
### Patches
- **CVE-2024-49035:** Patched by Microsoft in **November 2024** updates. Remediation involves applying these updates.
- **CVE-2023-34192:** Patched by Synacor in **July 2023** with **Zimbra Collaboration Suite (ZCS) version 8.8.15 Patch 40**.
### Workarounds
No specific workarounds were listed in the provided text beyond applying vendor fixes. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply necessary updates by **March 18, 2025**.
## Detection
- The primary detection indicator is the inclusion of these CVEs in CISA's Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal entities.
- Mitigation relies on ensuring systems are running versions beyond the fixed release points.
## References
- [CISA KEV Catalog Update](https://www.cisa.gov/news-events/alerts/2025/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog)
- [Microsoft Fixes (November 2024)](https://thehackernews.com/2024/11/microsoft-fixes-ai-cloud-and-erp.html) (Defanged)
- [Zimbra Security Advisory (July 2023)](https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) (Defanged)