CVE-2022-27332
📋 TL;DR
CVE-2022-27332 is an authentication bypass vulnerability in Zammad v5.0.3 that allows unauthenticated attackers to write entries to the CTI caller log. This enables attackers to execute phishing attacks or cause denial of service by flooding the log. Organizations running Zammad v5.0.3 are affected.
💻 Affected Systems
- Zammad
📦 What is this software?
Zammad by Zammad
⚠️ Risk & Real-World Impact
Worst Case
Attackers flood CTI logs causing system instability/DoS, inject malicious content for phishing campaigns, and potentially pivot to other attacks using the unauthorized access.
Likely Case
Attackers exploit the vulnerability to inject malicious caller information for phishing or spam campaigns targeting Zammad users.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential log corruption and minor service disruption.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and involves simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.0.4 and later
Vendor Advisory: https://zammad.com/en/advisories/zaa-2022-01
Restart Required: Yes
Instructions:
1. Backup your Zammad instance. 2. Update to Zammad v5.0.4 or later using your package manager or deployment method. 3. Restart Zammad services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to Zammad CTI endpoints using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zammad from untrusted networks.
- Deploy a WAF with rules to block unauthorized CTI log write attempts.
🔍 How to Verify
Check if Vulnerable:
Check Zammad version: if running v5.0.3, the system is vulnerable. Test by attempting unauthenticated POST requests to CTI log endpoints.Check Version:
zammad versionVerify Fix Applied:
Verify Zammad version is v5.0.4 or later. Test that unauthenticated POST requests to CTI log endpoints now return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /api/v1/cti/log
- Unusual volume of CTI log entries from single IPs
- CTI log entries with suspicious/malicious content
Network Indicators:
- HTTP POST requests to CTI endpoints without authentication headers
- High volume of requests to /api/v1/cti/log from external IPs
SIEM Query:
source="zammad" AND (uri_path="/api/v1/cti/log" AND http_method="POST" AND NOT auth_token=*)