What is Zimbra Collaboration Suite?
Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform used by government agencies, healthcare organisations, and enterprises globally. Its mboximport feature (the MailboxImportServlet) allows authenticated administrators to upload mailbox archive files (ZIP format) for import. CVE-2022-37042 removed the authentication requirement from this endpoint — transforming a privileged management function into an unauthenticated file upload vector accessible to any internet attacker.
Overview
CVE-2022-37042 is an authentication bypass in the MailboxImportServlet (mboximport) of Zimbra Collaboration Suite 8.8.15 and 9.0. By sending a request without a valid authentication token (authtoken), an unauthenticated attacker can bypass the authentication check and upload arbitrary files to the Zimbra server. Combined with path traversal, this achieves remote code execution without any credentials or user interaction.
CVE-2022-37042 is an incomplete fix for CVE-2022-27925, which had the same file upload vulnerability but required authentication. CVE-2022-37042 is the bypass that makes the attack fully unauthenticated.
Affected Versions
| Status | Zimbra ZCS Version |
|---|---|
| Vulnerable | ZCS 8.8.15 (all patches prior to fix) |
| Vulnerable | ZCS 9.0 (all patches prior to fix) |
| Fixed | Apply Zimbra security update per vendor advisory |
Technical Details
The MailboxImportServlet was designed to receive ZIP archives containing mailbox data from authenticated administrators. CVE-2022-27925 established that the servlet allowed authenticated users to upload arbitrary files and achieve path traversal — writing files outside the intended mailbox import directory. The fix for CVE-2022-27925 was supposed to add authentication enforcement. CVE-2022-37042 demonstrates that the fix was incomplete: by omitting the authtoken from the request, the servlet still processes the upload and executes the file operation, granting the same directory traversal capability without any credentials.
Combined with CVE-2022-27925's traversal capability, the two-CVE chain allows an unauthenticated attacker to:
- Send a POST request to the mboximport endpoint without an
authtoken - Include a ZIP archive with a path-traversing filename pointing to the Zimbra web root
- Extract a JSP webshell to
/opt/zimbra/jetty/webapps/zimbra/or a similar web-accessible path - Access the webshell over HTTP and execute arbitrary commands on the server as the Zimbra service user
Attack characteristics:
- Authentication required: No (authentication bypass)
- User interaction: None
- Attack complexity: Low
- Network-accessible: Yes — mboximport is available via standard HTTPS
Exploitation Context
On August 10, 2022, Volexity reported mass exploitation of the CVE-2022-27925 + CVE-2022-37042 chain against over 1,000 Zimbra Collaboration Suite instances globally. The campaign was widespread and opportunistic, deploying webshells that provided persistent SYSTEM-level access to compromised mail servers.
CISA and the MS-ISAC jointly documented the Zimbra exploitation wave in advisory AA22-228A, noting that multiple threat actor groups — including both nation-state-affiliated actors and ransomware operators — were actively exploiting vulnerabilities across the Zimbra CVE cluster. CISA flagged CVE-2022-37042 with ransomware use, consistent with the observed post-exploitation pattern of webshell deployment as a foothold for ransomware staging.
Remediation
- Apply Zimbra security updates per the Zimbra security advisory and Zimbra Security Center. The fix adds proper authentication enforcement to the mboximport servlet.
- Restrict mboximport access — if your operational requirements allow, restrict access to the
/service/home/mboximport endpoint to trusted administrator IP ranges via WAF or network ACL. - Hunt for webshell artifacts — search the Zimbra web root (
/opt/zimbra/jetty/webapps/zimbra/and subdirectories) for JSP files with modification dates after the estimated exploitation window. Unexpected JSP files in the web root are a strong indicator of compromise. - Review authentication logs for the mboximport endpoint for requests without a valid
authtoken— these are indicators of exploitation attempts. - If compromise is suspected: treat the Zimbra server as fully compromised. Collect forensic artifacts, rebuild from clean patched media, and rotate all credentials stored in or accessible from the server.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-37042 |
| Vendor / Product | Synacor — Zimbra Collaboration Suite (ZCS) |
| NVD Published | 2022-08-12 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CISA KEV Added | 2022-08-11 |
| CISA KEV Deadline | 2022-09-01 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-08-10 | Volexity reports mass exploitation of CVE-2022-27925 chained with CVE-2022-37042 against over 1,000 ZCS instances globally |
| 2022-08-11 | Added to CISA Known Exploited Vulnerabilities catalog; Zimbra issues updated advisory acknowledging authentication bypass |
| 2022-08-12 | CVE-2022-37042 published at NVD |
| 2022-09-01 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-37042 | Vulnerability Database |
| Zimbra Blog — Authentication Bypass in MailboxImportServlet | Vendor Advisory / Patch |
| CISA/MS-ISAC Advisory AA22-228A — Threat Actors Exploiting Multiple CVEs Against Zimbra | US Government |
| Volexity — Mass Exploitation of Unauthenticated Zimbra RCE (CVE-2022-27925 + CVE-2022-37042) | Security Research |
| CISA KEV Catalog Entry | US Government |
| CISA BOD 22-01 | Remediation Directive |
| CWE-22 — Improper Limitation of a Pathname to a Restricted Directory | Weakness Classification |