CVE-2022-27924

CVE-2022-27924 is a high-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-04). The underlying weakness is classified as CWE-74.

Key facts

Description

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

CVE-2022-27924: Zimbra Collaboration Unauthenticated Memcache Command Injection

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2022-27924
Product Zimbra Collaboration Suite (ZCS)
CVSS v3 7.5 HIGH
CVSS v3 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v2 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
EPSS 0.84593 (99.67th percentile)
Known Exploited Yes (CISA KEV, added 2022-08-04; EUVD-2022-32412)
Published 2022-04-21

Summary

CVE-2022-27924 is an unauthenticated memcache command injection vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. An attacker can craft malicious requests that inject arbitrary commands into the memcached service, bypassing proper input sanitization. Because these injected commands are not properly escaped, they overwrite arbitrary cached entries, enabling cache poisoning and potential authentication bypass scenarios.

Background

Zimbra Collaboration Suite is a widely deployed enterprise email and collaboration platform. It relies on memcached as a distributed caching layer to store session data, configuration parameters, and transient authentication tokens. Memcached uses a simple text-based protocol where commands are newline-delimited. When an application passes unsanitized user input directly into memcached without proper escaping, command injection becomes possible. This vulnerability was publicly disclosed in April 2022 and quickly added to the CISA Known Exploited Vulnerabilities catalog after in-the-wild exploitation was confirmed.

Root Cause

CWE-74: Injection

The root cause lies in insufficient input validation and lack of output escaping when Zimbra forwards user-controlled data to the memcached backend. Specifically, certain Zimbra endpoints accept untrusted input that is subsequently used to construct memcache protocol commands. Because the application does not neutralize memcache metacharacters (such as newlines and command keywords), an attacker can break out of the intended data value and inject arbitrary memcache directives—effectively treating untrusted input as part of the protocol stream rather than as opaque data.

Impact

The CVSS v3 score of 7.5 (HIGH) reflects a network-attackable vulnerability requiring no privileges or user interaction, with a primary impact on Integrity.

Metric Value
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact High
Availability Impact None

Successful exploitation allows an unauthenticated attacker to manipulate cached entries. In a memcached-backed session store, this can lead to session poisoning, elevation of privileges, or authentication bypass. While the CVSS vector does not score Confidentiality or Availability impact, the practical security consequences can be severe in environments where memcached is used for security-critical state.

Exploitation Walkthrough

Ethics caveat: This section describes the defensive understanding of how exploitation occurs. No weaponized exploit code is provided.

  1. Reconnaissance: The attacker identifies a Zimbra Collaboration Suite instance running an affected version (8.8.15 or 9.0).
  2. Injection point: The attacker submits crafted input to a Zimbra endpoint that passes data to memcached without proper escaping.
  3. Command smuggling: By inserting memcache protocol metacharacters (e.g., newlines) into the input, the attacker terminates the intended command and appends arbitrary memcache directives such as set, delete, or flush_all.
  4. Cache manipulation: The memcached service executes the injected commands, overwriting or deleting entries in the shared cache.
  5. Impact realization: If session identifiers or authentication tokens are stored in memcached, the attacker can poison these entries to impersonate legitimate users or disrupt authentication flows.

Defenders should treat any Zimbra instance exposed to untrusted networks as high-risk if it has not been patched.

Affected and Patched Versions

Affected:

  • Zimbra Collaboration Suite 8.8.15 (all patch levels up to p31)
  • Zimbra Collaboration Suite 9.0.0 (all patch levels up to p23)

Patched:

Remediation

  1. Upgrade: Apply the latest Zimbra security patches for your major version. P24 for the 9.0 branch addresses this flaw.
  2. Network segmentation: Restrict network access to the Zimbra web interface and memcached ports (typically 11211/tcp) to authorized administrative hosts only. Memcached should never be exposed to untrusted networks.
  3. Input validation: Ensure that all user-controlled data passed to caching backends is strictly validated and properly escaped.
  4. Compensating controls: If immediate patching is not possible, consider placing a Web Application Firewall (WAF) rule in front of Zimbra to detect and block memcache command injection patterns, though this is not a substitute for patching.

Detection

  • Monitor memcached logs for anomalous commands originating from the Zimbra application tier.
  • Inspect HTTP access logs for suspicious payloads containing newline sequences or memcache keywords directed at Zimbra endpoints.
  • Leverage network detection rules (e.g., Suricata/Snort) to identify unusual traffic patterns between Zimbra and memcached.
  • Correlate CISA KEV and EUVD-2022-32412 indicators with your asset inventory to confirm exposure.

Assessment

With an EPSS score of 0.84593 (99.67th percentile) and confirmed inclusion in the CISA KEV catalog since August 2022, CVE-2022-27924 is a high-probability, high-impact threat for unpatched Zimbra deployments. The combination of unauthenticated network access, low attack complexity, and a widely used enterprise platform makes this a priority patching item.

Key lessons:

  1. Cache backends are not just performance tools—they are security boundaries. Treat memcached and similar services with the same input-sanitization rigor as databases.
  2. Rapid KEV inclusion is a signal. When a vulnerability appears in CISA KEV within months of disclosure, assume active exploitation and patch on an emergency basis.

References

Frequently asked questions

What is CVE-2022-27924?
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
How severe is CVE-2022-27924?
CVE-2022-27924 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
Is CVE-2022-27924 being actively exploited?
Yes. CVE-2022-27924 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-27924?
CVE-2022-27924 primarily affects Synacor Zimbra Collaboration Suite. In total, 56 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-27924?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-27924 have an EU (EUVD) identifier?
Yes. CVE-2022-27924 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-32412. It is also flagged as exploited in the EUVD (since 2022-08-04).
When was CVE-2022-27924 published?
CVE-2022-27924 was published on 2022-04-21 and last updated on 2026-06-17.

References

Affected products (56)

More vulnerabilities in Synacor Zimbra Collaboration Suite

All CVEs affecting Synacor Zimbra Collaboration Suite →

Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities

Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →