CVE-2022-27924

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is an open-source enterprise email, calendar, and collaboration platform widely deployed by organizations worldwide, including government agencies. Zimbra uses Memcache as an internal caching layer to improve performance for authentication lookups. Because corporate email accounts contain sensitive communications, credentials, and business data, Zimbra servers are high-value targets for espionage and ransomware pre-staging.

Overview

CVE-2022-27924 is a CRLF injection (CWE-74) vulnerability in Zimbra Collaboration Suite. An unauthenticated remote attacker can inject Memcache commands into a targeted Zimbra instance by exploiting improper handling of user-supplied data in routing lookups. The injected commands overwrite cached entries, causing Zimbra to cache a poisoned response that redirects authentication requests — allowing the attacker to intercept cleartext credentials of Zimbra users who subsequently log in.

SonarSource researchers discovered and documented this attack, demonstrating that it allows mass credential harvesting from a Zimbra server with a single unauthenticated HTTP request.

Affected Versions

Technical Details

Zimbra routes incoming requests through a Nginx reverse proxy that uses Memcache to look up which backend server should handle requests for a given user. The routing lookup key is derived from a user-controlled value (e.g., the target email domain in the request).

The CRLF injection occurs because Zimbra does not sanitize newline characters (\r\n) in these lookup keys before passing them to Memcache. An attacker can inject \r\n sequences to terminate the legitimate Memcache command and append additional commands that set attacker-controlled cache entries.

Exploitation chain:

1. Attacker sends a crafted HTTP request to the Zimbra Nginx proxy with a CRLF-injected hostname
2. Zimbra passes the unsanitized value to Memcache as part of a GET command
3. The CRLF characters terminate the GET and inject a SET command that caches attacker-controlled routing data
4. Future authentication requests for the targeted user are routed to an attacker-controlled backend
5. The attacker receives and logs plaintext credentials submitted by legitimate users

• Authentication required: None — the injection is in unauthenticated routing logic
• Impact: Mass credential theft from all users who log in after cache poisoning; credentials captured in cleartext

Discovery

Discovered by Simo Ben Hakima and Simon Scannell from SonarSource, who published a detailed technical writeup.

Exploitation Context

CISA added this to KEV in August 2022. The attack is particularly dangerous because it is completely silent — no errors are generated, and victims are unaware their credentials have been captured. Compromised Zimbra credentials provide direct access to enterprise email, which is a springboard for spear phishing, lateral movement, and further credential harvesting. Google TAG noted that several nation-state actors actively targeted Zimbra in 2022.

Remediation

1. Upgrade to Zimbra 8.8.15 Patch 31.1 or 9.0.0 Patch 24.1 or later
2. After patching, force a password reset for all Zimbra users in case credentials were captured during the exposure window
3. Review Zimbra Nginx and Memcache logs for unusual routing patterns or unexpected cache SET commands
4. Implement network-level controls restricting Memcache (port 11211) access to trusted Zimbra components only
5. Monitor for logins from unexpected geographic locations or IP addresses following the exposure period