CVE-2022-27924
published 2022-04-21CVE-2022-27924: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache…
PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-08-25
Exploited in the wild
EPSS
84.59%
99.7th percentile
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect vulnerable Zimbra versions by fetching /js/zimbraMail/share/model/ZmSettings.js and matching body for 'Zimbra Collaboration Suite Web Client' with version strings '8.8.15' or '9.0' and Content-Type header 'application/x-javascript' ↗
- →CVE-2022-27924 (memcached command injection) has been exploited since at least August 2022 by APT29/SVR to steal email account credentials from unpatched Zimbra Collaboration instances ↗
- →The flaw allows unauthenticated attackers to steal login credentials without user interaction via memcached command injection leading to cache poisoning ↗
- ·The Nuclei template detection for CVE-2022-27924 is passive/version-based only — it identifies potentially vulnerable Zimbra instances by version string, not by confirming active memcached injection. A match on versions 8.8.15 or 9.0 does not confirm exploitation. ↗
- ·Exploitation of CVE-2022-27925 (RCE via mboximport) returns HTTP 401 even on successful webshell upload — defenders must not dismiss 401 responses to mboximport as failed attacks ↗
- ·Webshell path scanning only covers shells known to Volexity; the true number of compromised servers is likely higher than what scanning for known paths reveals ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-763p-5rx7-r4qf: Zimbra Collaboration (aka ZCS) 8
ghsa_unreviewed·2022-04-22
CVE-2022-27924 [HIGH] CWE-74 GHSA-763p-5rx7-r4qf: Zimbra Collaboration (aka ZCS) 8
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
vulncheck·2022·CVSS 7.5
CVE-2022-27924 [HIGH] CWE-93 Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.sentinelone.com/wt-reports/watchtower_2022_eoy; https://cisa.gov/news-events/cybersecurity-advisories/aa22-228a; https://unit42.paloaltonetworks.com/network-security-trends-nov-jan/; https://cisa.gov/news-events/cybersecurity-advisories/aa23-215a; https://cisa.gov/news-events/cybersec
CISA
Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
cisa·2022-08-04·CVSS 7.5
CVE-2022-27924 [HIGH] CWE-93 Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.
Required Action: Apply updates per vendor instructions.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes; https://nvd.nist.gov/vuln/detail/CVE-2022-27924
Remediation Due Date: 2022-08-25
No detection rules found.
Nuclei
Zimbra Collaboration Suite - Memcached Command Injection
nuclei·CVSS 7.5
CVE-2022-27924 [HIGH] Zimbra Collaboration Suite - Memcached Command Injection
Zimbra Collaboration Suite - Memcached Command Injection
Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
Template:
id: CVE-2022-27924
info:
name: Zimbra Collaboration Suite - Memcached Command Injection
author: rxerium
severity: high
description: |
Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
impact: |
Successful exploitation allows attackers to overwrite
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
blogs_bleepingcomputer·2024-10-10·CVSS 7.5
[HIGH] US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
## US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
## Sergiu Gatlan
U.S. and U.K. cyber agencies warned today that APT29 hackers linked to Russia's Foreign Intelligence Service (SVR) target vulnerable Zimbra and JetBrains TeamCity servers "at a mass scale."
A joint advisory issued by the NSA, the FBI, the U.S. Cyber Command's Cyber National Mission Force (CNMF), and the U.K.'s NCSC warns network defenders to patch exposed servers to block these ongoing attacks.
The four cyber agencies said the hacking group targets unpatched Zimbra and TeamCity servers exposed online "at a mass scale to target victims worldwide across a variety of sectors " using CVE-2022-27924 and CVE-2023-42793 exploits.
CVE-2022-27924 has been exploited since at least August 2022 to steal em
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
# Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-executio
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
## Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925 , a remote-code-execut
Checkpoint
20th June – Threat Intelligence Report
blogs_checkpoint·2022-06-20·CVSS 7.8
CVE-2022-30190 [HIGH] 20th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has exposed an Iranian spear-phishing operation targeting high profile Israeli and US executives. As part of their operations, the attackers take over existing accounts of the executives and create impersonating accounts to lure their targets into long email conversations. The operation aims at stealing per
Recorded Future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
blogs_recorded_future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
# RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27924
2022-04-21
Published
2022-08-04
Added to CISA KEV
Exploited in the wild