Steven Adair

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS versions 10.2 Palo Alto Networks PAN-OS versions 11.0 Palo Alto Networks PAN-OS versions 11.1 **Description** A command injection issue exists in the GlobalProtect feature of PAN-OS, resulting from arbitrary file creation. This allows an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall. The issue is triggered when the GlobalProtect feature and device telemetry are enabled. Technical exploitation involves a path traversal vulnerability via the `SESSID` cookie, allowing an attacker to write to the `/opt/panlogs/tmp/device telemetry/` directory. Subsequently, a command injection occurs within the `pansys.py` library, which uses the `subprocess.Popen()` function to execute `curl` for telemetry transmission via cron. Attackers may use the Internal Field Separator (`IFS`) to bypass space restrictions. Real-world exploitation has been observed in campaigns such as Operation MidnightEclipse, where attackers deployed Python-based backdoors (UPSTYLE), stole configuration data, and performed lateral movement using SMB and WinRM. It is estimated that between 40,000 and 133,000 devices worldwide could be potentially affected. **Recommendations** Update PAN-OS versions 10.2, 11.0, and 11.1 to the latest patched versions. As a temporary mitigation, disable the device telemetry feature to prevent the command injection chain.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite (ZCS) versions 8.8.15 through 9.0 **Description** The mboximport functionality in Zimbra Collaboration Suite (ZCS) has an authentication bypass issue, allowing an attacker to upload arbitrary files to the system without an authtoken. This can lead to directory traversal and remote code execution. The issue is due to an incomplete fix for a previous vulnerability. **Recommendations** For Zimbra Collaboration Suite (ZCS) versions 8.8.15 through 9.0, consider disabling the mboximport functionality until a patch is available to prevent exploitation. Restrict access to the mboximport module to minimize the risk of remote code execution. Avoid using the mboximport functionality in production environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite versions 8.8.x through 8.8.15 patch 29 **Description** An issue was discovered in the Calendar feature, allowing an attacker to place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. The issue has been exploited in the wild starting in December 2021. **Recommendations** For Zimbra Collaboration Suite versions 8.8.x through 8.8.15 patch 29, update to version 8.8.15 patch 30 (update 1) to resolve the issue. As a temporary workaround, consider restricting access to the Calendar feature until a patch is available. Avoid using the Calendar feature with untrusted input until the issue is resolved.