What is Zimbra Collaboration Suite?
Zimbra Collaboration Suite (ZCS) is an enterprise email and collaboration platform used by government agencies, universities, and enterprises globally. An integral component of ZCS's email processing pipeline is Amavis — the content filter that scans inbound email attachments for malware and spam. Amavis extracts archives attached to inbound messages for inspection, and in doing so, writes their contents to a known filesystem path. CVE-2022-41352 exploits the specific interaction between Amavis's use of the cpio archive extraction utility and the location to which it extracts files — which happens to be the Zimbra web application root, directly accessible via HTTP.
Overview
CVE-2022-41352 allows an unauthenticated remote attacker to deploy a webshell on a Zimbra server by emailing a crafted archive file. No credentials, no authentication, no user interaction — the attack is delivered through the normal email channel. Zimbra's antivirus component (Amavis) automatically extracts the archive for scanning and writes the attacker's JSP payload directly to the web root, making it immediately accessible over HTTP.
The vulnerability is a path traversal in Amavis's cpio extraction behaviour. It is structurally analogous to CVE-2022-30333 (which used RAR archives) but uses cpio or tar format instead, and is rooted in the long-standing CVE-2015-1197 path traversal in the cpio utility itself.
pax utility, which Amavis prefers over cpio. Red Hat Enterprise Linux and CentOS 7+ do not include pax in their default installation, making RHEL/CentOS-based Zimbra deployments vulnerable.
Affected Versions
| Status | Zimbra ZCS Version | Notes |
|---|---|---|
| Vulnerable | ZCS 8.8.15 prior to Patch 34 | RHEL/CentOS-based installs; Ubuntu not vulnerable by default |
| Vulnerable | ZCS 9.0 prior to Patch 27 | RHEL/CentOS-based installs; Ubuntu not vulnerable by default |
| Fixed | ZCS 8.8.15 Patch 34 and later | Switches from cpio to pax in Amavis configuration |
| Fixed | ZCS 9.0 Patch 27 (9.0.0.p27) and later | |
| Workaround | All versions | Install pax utility and restart Zimbra services |
Technical Details
Amavis is Zimbra's mail content filter. When Amavis receives an email containing an archive attachment, it extracts the archive's contents into a temporary directory for scanning. The extraction path for cpio archives resolves relative to Amavis's working directory — which, in Zimbra's configuration, is /opt/zimbra/jetty/webapps/zimbra/public. This path is also the Zimbra web application root, accessible via HTTP at https://<zimbra-server>/zimbra/public/.
An attacker exploits this as follows:
- Craft a cpio archive containing a JSP webshell with a path-traversing filename (e.g.,
../../shell.jsp) - Email the archive to any address on the vulnerable Zimbra server — no interaction from the email recipient is needed
- Amavis receives the email, detects the archive attachment, and invokes
cpioto extract it for scanning - cpio extracts the payload to
/opt/zimbra/jetty/webapps/zimbra/— the web root — writingshell.jsp - Attacker accesses the webshell at
https://<zimbra-server>/zimbra/shell.jspand executes arbitrary commands as thezimbraservice user
The attack requires no credentials, no user interaction, and arrives through the normal email delivery channel — indistinguishable from legitimate email traffic at the network level.
Why pax fixes it: pax does not honour path traversal sequences in archive filenames; it strips leading / and ../ components. When Amavis is configured to use pax instead of cpio, the webshell is written to a safe temporary directory rather than the web root.
Discovery
CVE-2022-41352 was discovered through active exploitation — the vulnerability was found in the wild, not through proactive security research. This means there was no responsible disclosure period; attackers were exploiting it before any vendor advisory existed. Zimbra acknowledged the issue and published workaround guidance (install pax) on or around October 4, 2022. A formal patch (switching Amavis to prefer pax) was released in ZCS 8.8.15 Patch 34 and 9.0.0 Patch 27.
Rapid7 noted in their analysis that CVE-2022-41352 was effectively identical in mechanism to CVE-2022-30333 (the RARLab path traversal, also known as the "RAR4J" issue) — the same attack surface (Amavis extracting untrusted archives) with a different file format (cpio/tar rather than .rar).
Exploitation Context
Volexity documented mass exploitation of CVE-2022-41352 in October 2022, identifying over 1,000 Zimbra server instances compromised in the wild. The exploitation was opportunistic and broad, consistent with automated scanning and exploitation rather than targeted campaigns. Post-exploitation activity included webshell deployment for persistent access, followed by data theft, lateral movement, and in some cases, staging for ransomware operations.
The vulnerability's delivery mechanism — arriving silently as a normal inbound email — made it particularly difficult to detect or block in advance. Organisations whose Zimbra servers processed external email were exposed regardless of their network perimeter configuration; the attack arrived inside the legitimate email delivery path.
Remediation
- Install the
paxutility immediately if you cannot patch right away: on RHEL/CentOS, runyum install pax. Then restart Zimbra services (sudo -u zimbra /opt/zimbra/bin/zmcontrol restart). Amavis automatically preferspaxovercpiooncepaxis installed. - Upgrade to ZCS 8.8.15 Patch 34 (or later) or ZCS 9.0.0 Patch 27 (or later) to apply the formal fix.
- Search the web root for unexpected JSP files: inspect
/opt/zimbra/jetty/webapps/zimbra/for any.jspfiles not present in the original Zimbra installation. Any such files are strong indicators of compromise. - Review Amavis logs (
/opt/zimbra/log/mail.log) for archive extraction activity and note any extractions that wrote files outside the expected temp directory. - If webshells are found: the server should be treated as fully compromised. Collect forensic artifacts, rebuild from clean patched media, rotate all credentials, and audit Active Directory for indicators of lateral movement from the compromised server.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-41352 |
| Vendor / Product | Synacor — Zimbra Collaboration Suite (ZCS) |
| NVD Published | 2022-09-26 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CISA KEV Added | 2022-10-20 |
| CISA KEV Deadline | 2022-11-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-09-26 | CVE-2022-41352 published at NVD; vulnerability discovered through active in-the-wild exploitation |
| 2022-10-04 | Volexity publishes analysis of mass exploitation; Zimbra issues workaround guidance (install pax utility) |
| 2022-10-06 | Rapid7 publishes technical analysis; notes vulnerability remains unpatched at time of writing |
| 2022-10-20 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-11-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-41352 | Vulnerability Database |
| Zimbra Security Center | Vendor Advisory / Patch |
| Rapid7 — Exploitation of Unpatched Zero-Day RCE in Zimbra (CVE-2022-41352) | Security Research |
| Volexity — Mass Exploitation of Unauthenticated Zimbra RCE (CVE-2022-41352) | Security Research |
| CISA/MS-ISAC Advisory AA22-228A — Threat Actors Exploiting Multiple CVEs Against Zimbra | US Government |
| CISA KEV Catalog Entry | US Government |
| CISA BOD 22-01 | Remediation Directive |
| CWE-22 — Improper Limitation of a Pathname to a Restricted Directory | Weakness Classification |