cbcvebase.
CVE-2022-27924
published 2022-04-21

CVE-2022-27924: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache…

PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-08-25
Exploited in the wild
EPSS
84.59%
99.7th percentile
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

path/js/zimbraMail/share/model/ZmSettings.js
  • Detect vulnerable Zimbra versions by fetching /js/zimbraMail/share/model/ZmSettings.js and matching body for 'Zimbra Collaboration Suite Web Client' with version strings '8.8.15' or '9.0' and Content-Type header 'application/x-javascript'
  • CVE-2022-27924 (memcached command injection) has been exploited since at least August 2022 by APT29/SVR to steal email account credentials from unpatched Zimbra Collaboration instances
  • The flaw allows unauthenticated attackers to steal login credentials without user interaction via memcached command injection leading to cache poisoning
  • ·The Nuclei template detection for CVE-2022-27924 is passive/version-based only — it identifies potentially vulnerable Zimbra instances by version string, not by confirming active memcached injection. A match on versions 8.8.15 or 9.0 does not confirm exploitation.
  • ·Exploitation of CVE-2022-27925 (RCE via mboximport) returns HTTP 401 even on successful webshell upload — defenders must not dismiss 401 responses to mboximport as failed attacks
  • ·Webshell path scanning only covers shells known to Volexity; the true number of compromised servers is likely higher than what scanning for known paths reveals

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.