cbcvebase.
CVE-2022-37042
published 2022-08-12

CVE-2022-37042: Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-01
Exploited in the wild
EPSS
88.26%
99.7th percentile
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

url/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1
url/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd
path/zimbraAdmin/0MVzAe6pgwe5go1D.jsp
path../../../../mailboxd/webapps/zimbraAdmin/0MVzAe6pgwe5go1D.jsp
otherhttp.favicon.hash:"1624375939"
otherhttp.favicon.hash:"475145467"
  • Exploit requests POST to /service/extension/backup/mboximport without a valid authtoken and receive HTTP 401 responses, yet the webshell is still written to disk — detect on 401 responses to POST requests at this endpoint.
  • ZIP payloads delivered to mboximport contain path-traversal sequences (e.g. ../../../../mailboxd/webapps/zimbraAdmin/) in the embedded filename to drop JSP webshells outside the intended extraction directory.
  • The Nuclei template detection condition checks for HTTP 401 on the POST to mboximport AND HTTP 200 containing the string 'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu' on the subsequent GET to the dropped JSP — use both conditions together to confirm exploitation.
  • Use Shodan favicon hashes 1624375939 and 475145467 to identify internet-exposed Zimbra instances for proactive vulnerability assessment.
  • ·Volexity's Internet-wide scan for compromised servers only used webshell paths known to Volexity; the true number of compromised ZCS instances is likely higher than the 1,000+ identified.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.