CVE-2022-27925

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is an enterprise email and collaboration platform deployed by governments, enterprises, and ISPs worldwide. Zimbra's mboximport functionality is an administrative feature used to import mailbox data. When authentication enforcement on this endpoint is flawed, it becomes an unauthenticated RCE vector.

Overview

CVE-2022-27925 is a path traversal / arbitrary file upload vulnerability (CWE-22) in Zimbra's MailboxImportServlet (mboximport) endpoint. An attacker with administrator-level credentials can upload arbitrary files — including JSP web shells — to any location on the Zimbra server, achieving remote code execution.

By itself, the vulnerability requires high privileges (admin credentials). However, it was chained with CVE-2022-37042, a separate authentication bypass in the same endpoint, to become a fully unauthenticated RCE. Volexity documented mass exploitation of this chain in August 2022, finding hundreds of Zimbra servers compromised with web shells.

Affected Versions

The CVE-2022-37042 auth bypass was separately patched; both patches are needed for full remediation.

Technical Details

The mboximport endpoint accepts file uploads for mailbox import operations. The path traversal vulnerability (CWE-22) allows the filename parameter in the upload request to contain directory traversal sequences, placing the uploaded file in attacker-chosen locations — including the Zimbra web application directory.

When CVE-2022-37042 (authentication bypass) is chained:

1. CVE-2022-37042 bypasses authentication for the mboximport endpoint
2. CVE-2022-27925 uploads a JSP web shell to the Zimbra webapps directory
3. Attacker accesses the web shell via HTTP for unauthenticated remote code execution

• Standalone: Requires admin authentication (high privilege)
• Chained with CVE-2022-37042: Unauthenticated — no credentials required
• Impact: Full RCE as the Zimbra service user; access to all email data on the server

Discovery

The file upload vulnerability was reported to Zimbra; the authentication bypass (CVE-2022-37042) enabling unauthenticated exploitation was identified later, with Volexity documenting active mass exploitation.

Exploitation Context

Volexity's August 2022 report identified over 1,000 Zimbra servers compromised via this chain. Exploitation involved automated scanning and web shell deployment, with subsequent data exfiltration of email archives. Threat actors observed included both opportunistic groups and targeted nation-state actors. The same servers targeted by this chain were also targeted by CVE-2022-27924 (Memcache credential theft) and CVE-2022-30333 (UnRAR path traversal) — Zimbra servers were heavily targeted from multiple angles in 2022.

Remediation

1. Apply Zimbra 8.8.15 Patch 33 or 9.0.0 Patch 26 (addresses both CVE-2022-27925 and CVE-2022-37042)
2. Immediately after patching, audit the Zimbra web directory for unauthorized JSP files: find /opt/zimbra/jetty/webapps -name "*.jsp" | xargs grep -l "Runtime.exec\|ProcessBuilder\|cmd\|bash"
3. Search for web shells in: /opt/zimbra/jetty/webapps/zimbra/, /opt/zimbra/jetty/webapps/zimbraAdmin/
4. Review Zimbra access logs for POST requests to /service/extension/backup/mboximport from external IPs
5. Force password resets for all Zimbra accounts as a precaution; rotate any credentials potentially exposed via email
6. Consider placing Zimbra's admin interface behind a VPN or IP allowlist