Attackers are exploiting Zendesk instances configured to accept anonymous ticket submissions without email verification, enabling them to flood targeted inboxes with thousands of malicious messages that appear to originate from legitimate Zendesk customer domains rather than from Zendesk itself. The vulnerability stems from customers enabling anonymous ticket creation workflows with auto-responder triggers, allowing bad actors to submit tickets with spoofed sender addresses and trigger notification emails from the victim organisation's own domain—a distributed attack that bypasses Zendesk's rate-limiting controls. Zendesk recommends immediately switching to authenticated ticket creation workflows and validating email addresses before sending responses, though the company acknowledges it is investigating additional preventive measures to address this abuse vector.
Email Bombs Exploit Lax Authentication in Zendesk Krebs on Security
Zendesk Email Bomb Attacks: Exploiting Lax Authentication and Anonymous Ticket Creation Rescana
Article URL: https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-in-zendesk/ Comments URL: https://news.ycombinator.com/item?id=45615449 Points: 69 # Comments: 17