Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2022-37042

Disclosure Date: August 12, 2022 •

CVE-2022-37042 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by mkienow-r7 and 2 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Credential Access

Techniques

Validation

Brute Force

Validated

Discovery

Techniques

Validation

System Owner/User Discovery

Validated

Privilege Escalation

Techniques

Validation

Exploitation for Privilege Escalation

Validated

Metasploit Module

exploit/linux/http/zimbra_mboximport_cve_2022_27925

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

Add Assessment

rbowes-r7 (95)

August 23, 2022 4:43pm UTC (1 year ago)•Edited 1 year ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

This is basically cve-2022-27925 – it’s the same exploit, but you don’t send an auth cookie and it fails to prevent access.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

zimbra

Products

collaboration 8.8.15,
collaboration 9.0.0

Metasploit Modules

exploit/linux/http/zimbra_mboximport_cve_2022_27925 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: August 12, 2022 1:42am UTC (1 year ago)

andrew-morris indicated source as Other: GreyNoise (https://viz.greynoise.io/ip/178.173.230.202)

Reported: August 19, 2022 9:43pm UTC (1 year ago)

rbowes-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/uscert/ncas/alerts/aa22-228a)
News Article or Blog (https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/)

Reported: August 23, 2022 4:43pm UTC (1 year ago)

References

Canonical

CVE-2022-37042 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37042)

Miscellaneous

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html

Rapid7

August 19, 2022 8:56pm UTC (1 year ago)

Technical Analysis

We analyzed this Zimbra vulnerability as part of CVE-2022-27925.

Very High

CVE-2022-37042

Very High

Very High

None

None

Network

CVE-2022-37042

Description