CVE-2020-7796
published 2020-02-18CVE-2020-7796: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-10
Exploited in the wild
EPSS
85.42%
99.7th percentile
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | < 8.8.15 | 8.8.15 |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23
url/service/error/sfdc_preauth.jsp?session=s&userid=1&server=http://{{interactsh-url}}%23.salesforce.com/
path/zimlet/com_zimbra_webex/httpPost.jsp
path/service/error/sfdc_preauth.jsp
- →Probe for SSRF via the WebEx zimlet endpoint by supplying an out-of-band callback URL in the `companyId` parameter; confirm exploitation by observing an HTTP interaction on the OAST/interactsh listener.
- →Probe for SSRF via the Salesforce pre-auth JSP endpoint by supplying an out-of-band callback URL in the `server` parameter; confirm exploitation by observing an HTTP interaction on the OAST/interactsh listener.
- →Both SSRF vectors are unauthenticated (no session/auth cookie required); any HTTP request to the vulnerable paths from an unauthenticated source should be treated as suspicious.
- →Use Shodan/FOFA/Google dorks to identify exposed Zimbra instances as potential targets: look for HTTP titles 'zimbra collaboration suite' or 'zimbra web client sign in'.
- →Exploitation requires the WebEx zimlet to be installed and zimlet JSP to be enabled; check for presence of `com_zimbra_webex` zimlet in the deployment as a precondition indicator. ↗
- ·The SSRF via `httpPost.jsp` is only exploitable when the `com_zimbra_webex` zimlet is installed AND zimlet JSP execution is enabled on the server; detections targeting this path will produce false negatives on deployments without the zimlet. ↗
- ·The `sfdc_preauth.jsp` vector (CWE-99 / CWE-918) is tracked under the same CVE but targets a different endpoint; detection rules must cover both paths independently.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qfxw-56c6-7pjg: Zimbra Collaboration Suite (ZCS) before 8
ghsa_unreviewed·2022-05-24
CVE-2020-7796 [MEDIUM] CWE-918 GHSA-qfxw-56c6-7pjg: Zimbra Collaboration Suite (ZCS) before 8
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-7796 [CRITICAL] CWE-918 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-12&host_type=src&vulnerability=cve-2020-7796; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-13&host_type=src&vulnerability=cve-2020-7796; https://dashboard.shadowserver.org/statisti
CISA
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
cisa·2026-02-17·CVSS 9.8
CVE-2020-7796 [CRITICAL] CWE-918 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Affected: Synacor Zimbra Collaboration Suite
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7 ; https://nvd.nist.gov/vuln/detail/CVE-2020-7796
Remediation Due Date: 2026-03-10
No detection rules found.
Nuclei
Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2020-7796 [CRITICAL] Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
Template:
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
impact: |
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access or data leakage.
remediation: |
Apply the latest patch or upgrade
Nuclei
Zimbra Collaboration Suite - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2020-7796 [CRITICAL] Zimbra Collaboration Suite - Server-Side Request Forgery
Zimbra Collaboration Suite - Server-Side Request Forgery
Zimbra Collaboration Suite (ZCS) allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
Template:
id: zimbra-preauth-ssrf
info:
name: Zimbra Collaboration Suite - Server-Side Request Forgery
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
reference:
- https://www.adminxe.com/2183.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-7796
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
blogs_greynoiseio·2025-03-11
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2020-02-18
Published
2026-02-17
Added to CISA KEV
Exploited in the wild