CVE-2022-37042
published 2022-08-12CVE-2022-37042: Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-01
Exploited in the wild
EPSS
88.26%
99.7th percentile
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requests POST to /service/extension/backup/mboximport without a valid authtoken and receive HTTP 401 responses, yet the webshell is still written to disk — detect on 401 responses to POST requests at this endpoint. ↗
- →ZIP payloads delivered to mboximport contain path-traversal sequences (e.g. ../../../../mailboxd/webapps/zimbraAdmin/) in the embedded filename to drop JSP webshells outside the intended extraction directory. ↗
- →The Nuclei template detection condition checks for HTTP 401 on the POST to mboximport AND HTTP 200 containing the string 'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu' on the subsequent GET to the dropped JSP — use both conditions together to confirm exploitation. ↗
- →Use Shodan favicon hashes 1624375939 and 475145467 to identify internet-exposed Zimbra instances for proactive vulnerability assessment. ↗
- ·Volexity's Internet-wide scan for compromised servers only used webshell paths known to Volexity; the true number of compromised ZCS instances is likely higher than the 1,000+ identified. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9g5r-3vrr-xfcm: Zimbra Collaboration Suite (ZCS) 8
ghsa_unreviewed·2022-08-13·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-22 GHSA-9g5r-3vrr-xfcm: Zimbra Collaboration Suite (ZCS) 8
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
vulncheck·2022·CVSS 7.2
CVE-2022-27925 [HIGH] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://assets.sentinelone.com/wt-reports/watchtower_202
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
vulncheck·2022·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-23 Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.sentinelone.com/wt-reports/watchtower_2022_eoy; https://cisa.gov/news-events/cybersecurity-advisories/aa22-228a; https://l
CISA
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
cisa·2022-08-11·CVSS 7.2
CVE-2022-27925 [HIGH] CWE-22 Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/; https://nvd.nist.gov/vuln/detail/CVE-2022-27925
Remediation Due Date: 2022-09-01
CISA
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
cisa·2022-08-11·CVSS 7.2
CVE-2022-37042 [HIGH] CWE-23 Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/; https://nvd.nist.gov/vuln/detail/CVE-2022-37042
Remediation Due Date: 2022-09-01
Suricata
ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
suricata·2022-08-12·CVSS 7.2
CVE-2022-27925 [HIGH] ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backup/mboximport/"; fast_pattern; http.request_body; content:"PK"; startswith; content:"../"; distance:20; within:500; reference:cve,2022-27925; reference:cve,2022-37042; classtype:attempted-admin; sid:2038504; rev:1; metadata:attack_target Server, created_at 2022_08_12, cve CVE_2022_27925_CVE_2022_37042, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
Metasploit
Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
metasploit·CVSS 7.2
CVE-2022-27925 [HIGH] Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)
This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on the following versions of Zimbra: * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) Note that the Open Source Edition is not affected.
Nuclei
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2022-37042 [HIGH] Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Template:
id: CVE-2022-37042
info:
name: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
author: _0xf4n9x_,For3stCo1d
severity: critical
description: |
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtok
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Tenable
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
blogs_tenable·2023-02-16
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
# Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-executio
Volexity
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
blogs_volexity·2022-08-10·CVSS 7.2
CVE-2022-27925 [HIGH] Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
Threat Intelligence
## Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.]
In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925 , a remote-code-execut
Recorded Future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
blogs_recorded_future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
# RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a
Greynoiseio
GreyNoise
blogs_greynoiseio·CVSS 7.2
[HIGH] GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlhttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttp://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlhttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-37042
2022-08-12
Published
2022-08-11
Added to CISA KEV
Exploited in the wild