CVE-2022-27924
CVE-2022-27924 is a high-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-04). The underlying weakness is classified as CWE-74.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 85% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-08-04)
- EU (EUVD) id: EUVD-2022-32412
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-08-04)
- Weakness: CWE-74
- Affected product: Synacor Zimbra Collaboration Suite
- Published:
- Last modified:
Description
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
CVE-2022-27924: Zimbra Collaboration Unauthenticated Memcache Command Injection
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2022-27924 |
| Product | Zimbra Collaboration Suite (ZCS) |
| CVSS v3 | 7.5 HIGH |
| CVSS v3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| CVSS v2 | 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| CWE | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| EPSS | 0.84593 (99.67th percentile) |
| Known Exploited | Yes (CISA KEV, added 2022-08-04; EUVD-2022-32412) |
| Published | 2022-04-21 |
Summary
CVE-2022-27924 is an unauthenticated memcache command injection vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. An attacker can craft malicious requests that inject arbitrary commands into the memcached service, bypassing proper input sanitization. Because these injected commands are not properly escaped, they overwrite arbitrary cached entries, enabling cache poisoning and potential authentication bypass scenarios.
Background
Zimbra Collaboration Suite is a widely deployed enterprise email and collaboration platform. It relies on memcached as a distributed caching layer to store session data, configuration parameters, and transient authentication tokens. Memcached uses a simple text-based protocol where commands are newline-delimited. When an application passes unsanitized user input directly into memcached without proper escaping, command injection becomes possible. This vulnerability was publicly disclosed in April 2022 and quickly added to the CISA Known Exploited Vulnerabilities catalog after in-the-wild exploitation was confirmed.
Root Cause
CWE-74: Injection
The root cause lies in insufficient input validation and lack of output escaping when Zimbra forwards user-controlled data to the memcached backend. Specifically, certain Zimbra endpoints accept untrusted input that is subsequently used to construct memcache protocol commands. Because the application does not neutralize memcache metacharacters (such as newlines and command keywords), an attacker can break out of the intended data value and inject arbitrary memcache directives—effectively treating untrusted input as part of the protocol stream rather than as opaque data.
Impact
The CVSS v3 score of 7.5 (HIGH) reflects a network-attackable vulnerability requiring no privileges or user interaction, with a primary impact on Integrity.
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | High |
| Availability Impact | None |
Successful exploitation allows an unauthenticated attacker to manipulate cached entries. In a memcached-backed session store, this can lead to session poisoning, elevation of privileges, or authentication bypass. While the CVSS vector does not score Confidentiality or Availability impact, the practical security consequences can be severe in environments where memcached is used for security-critical state.
Exploitation Walkthrough
Ethics caveat: This section describes the defensive understanding of how exploitation occurs. No weaponized exploit code is provided.
- Reconnaissance: The attacker identifies a Zimbra Collaboration Suite instance running an affected version (8.8.15 or 9.0).
- Injection point: The attacker submits crafted input to a Zimbra endpoint that passes data to memcached without proper escaping.
- Command smuggling: By inserting memcache protocol metacharacters (e.g., newlines) into the input, the attacker terminates the intended command and appends arbitrary memcache directives such as
set,delete, orflush_all. - Cache manipulation: The memcached service executes the injected commands, overwriting or deleting entries in the shared cache.
- Impact realization: If session identifiers or authentication tokens are stored in memcached, the attacker can poison these entries to impersonate legitimate users or disrupt authentication flows.
Defenders should treat any Zimbra instance exposed to untrusted networks as high-risk if it has not been patched.
Affected and Patched Versions
Affected:
- Zimbra Collaboration Suite 8.8.15 (all patch levels up to p31)
- Zimbra Collaboration Suite 9.0.0 (all patch levels up to p23)
Patched:
- Upgrade to a fixed patch level or release as advised by Zimbra. Consult the Zimbra Security Advisories page and the 9.0.0 P24 release notes for definitive patch guidance.
Remediation
- Upgrade: Apply the latest Zimbra security patches for your major version. P24 for the 9.0 branch addresses this flaw.
- Network segmentation: Restrict network access to the Zimbra web interface and memcached ports (typically 11211/tcp) to authorized administrative hosts only. Memcached should never be exposed to untrusted networks.
- Input validation: Ensure that all user-controlled data passed to caching backends is strictly validated and properly escaped.
- Compensating controls: If immediate patching is not possible, consider placing a Web Application Firewall (WAF) rule in front of Zimbra to detect and block memcache command injection patterns, though this is not a substitute for patching.
Detection
- Monitor memcached logs for anomalous commands originating from the Zimbra application tier.
- Inspect HTTP access logs for suspicious payloads containing newline sequences or memcache keywords directed at Zimbra endpoints.
- Leverage network detection rules (e.g., Suricata/Snort) to identify unusual traffic patterns between Zimbra and memcached.
- Correlate CISA KEV and EUVD-2022-32412 indicators with your asset inventory to confirm exposure.
Assessment
With an EPSS score of 0.84593 (99.67th percentile) and confirmed inclusion in the CISA KEV catalog since August 2022, CVE-2022-27924 is a high-probability, high-impact threat for unpatched Zimbra deployments. The combination of unauthenticated network access, low attack complexity, and a widely used enterprise platform makes this a priority patching item.
Key lessons:
- Cache backends are not just performance tools—they are security boundaries. Treat memcached and similar services with the same input-sanitization rigor as databases.
- Rapid KEV inclusion is a signal. When a vulnerability appears in CISA KEV within months of disclosure, assume active exploitation and patch on an emergency basis.
References
Frequently asked questions
- What is CVE-2022-27924?
- Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.
- How severe is CVE-2022-27924?
- CVE-2022-27924 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2022-27924 being actively exploited?
- Yes. CVE-2022-27924 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-27924?
- CVE-2022-27924 primarily affects Synacor Zimbra Collaboration Suite. In total, 56 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-27924?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-27924 have an EU (EUVD) identifier?
- Yes. CVE-2022-27924 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-32412. It is also flagged as exploited in the EUVD (since 2022-08-04).
- When was CVE-2022-27924 published?
- CVE-2022-27924 was published on 2022-04-21 and last updated on 2026-06-17.
References
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27924
Affected products (56)
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*
More vulnerabilities in Synacor Zimbra Collaboration Suite
- CVE-2024-45519 — Critical (CVSS 10.0): The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before…
- CVE-2022-41352 — Critical (CVSS 9.8): An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through…
- CVE-2022-37042 — Critical (CVSS 9.8): Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts…
- CVE-2020-7796 — Critical (CVSS 9.8): Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is…
- CVE-2019-9670 — Critical (CVSS 9.8): mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection…
- CVE-2019-6980 — Critical (CVSS 9.8): Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
All CVEs affecting Synacor Zimbra Collaboration Suite →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →