cbcvebase.
CVE-2022-27925
published 2022-04-21

CVE-2022-27925: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with…

PriorityP191high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-01
Exploited in the wild
EPSS
98.16%
99.9th percentile
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925
  • Look for HTTP POST requests to the mboximport endpoint (path: /service/extension/backup/mboximport) returning HTTP 401 — exploitation succeeds even when the server returns 401 Unauthorized due to a missing return statement after the auth check.
  • Use the Godzilla Webshell YARA rule (SHA-256: 2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe) to detect the JSP implementation of the Godzilla webshell dropped on compromised ZCS servers.
  • Compare the current list of JSP files in the ZCS web directory against a known-good baseline to identify attacker-planted webshells.
  • Flag POST requests to mboximport with URL parameters such as account-name, ow, and no-switch — these are the parameters an attacker sets to exploit the vulnerability without authentication.
  • ·The exploit succeeds even when the server returns HTTP 401 — defenders must not assume a 401 response to mboximport POST requests means the attack failed; the file may already have been written to disk.
  • ·The Open Source Edition of Zimbra Collaboration Suite is not affected; only Network Edition versions 9.0.0 Patch 23 and earlier, and 8.8.15 Patch 30 and earlier, are vulnerable.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.