CVE-2022-27925

CVE-2022-27925 is a high-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-11). The underlying weakness is classified as CWE-22.

Key facts

Description

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

CVE-2022-27925: Zimbra Collaboration Suite mboximport ZIP Path Traversal

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2022-27925
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS v3.1 7.2 HIGH (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVSS v2 6.5 MEDIUM (AV:N/AC:L/Au:S/C:P/I:P/A:P)
EPSS 0.98163 (98.16% probability) — 99.9th percentile
CISA KEV Listed 2022-08-11
Ransomware Affiliation Confirmed
Published 2022-04-21

Summary

CVE-2022-27925 is a path-traversal vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. The mboximport functionality accepts a ZIP archive and extracts its contents without adequately sanitising file paths. An authenticated user with administrator privileges can craft a malicious ZIP archive containing directory-traversal sequences (e.g., ../../) to write files to arbitrary locations on the underlying filesystem. This flaw has been actively exploited in the wild and is associated with ransomware campaigns.

Background

Zimbra Collaboration Suite is a widely deployed open-source email and collaboration platform used by enterprises, governments, and managed-service providers. The mboximport feature is intended to allow administrators to import mailbox data in bulk via ZIP archives. Because the extraction logic trusts the filenames embedded in the archive, it becomes a high-value attack surface when an adversary gains administrative credentials or coerces an admin into uploading a crafted archive.

Root Cause

CWE-22 — Path Traversal.

The mboximport handler extracts entries from the uploaded ZIP directly to a target directory using the filename stored in the archive header. It does not strip or validate relative path components (../, ..\). Consequently, an entry named ../../../opt/zimbra/jetty/webapps/zimbra/shell.jsp is written outside the intended import path, landing in a web-accessible directory or other sensitive system locations. The weakness is a classic failure to enforce a restricted directory boundary during archive decompression.

Impact

  • Confidentiality: High — arbitrary file read is indirect, but file write enables backdoors that can exfiltrate data.
  • Integrity: High — attacker-controlled content can overwrite application files, configurations, or system binaries.
  • Availability: High — overwritten files can crash services or render the system inoperable.

The CVSS v3.1 vector (PR:H) reflects that admin privileges are required, yet the impact is total system compromise once that threshold is crossed. The CVSS v2 score of 6.5 also flags network accessibility with single-authentication and partial impact across the CIA triad.

EPSS sits at 0.98163, indicating near-certain active exploitation in the wild. CISA added this CVE to the Known Exploited Vulnerabilities catalog on 11 August 2022, and threat-intelligence links it to ransomware operations.

Exploitation Walkthrough (Defensive Perspective)

From a defender's standpoint, the exploitation chain is straightforward to understand but critical to monitor:

  1. Authentication: The attacker must first obtain valid admin credentials (phishing, credential stuffing, or lateral movement).
  2. Archive Crafting: A ZIP file is prepared with one or more entries whose relative paths escape the intended extraction root.
  3. Upload: The attacker navigates to the admin console and uses the mboximport feature to upload the archive.
  4. Extraction: The server unpacks the ZIP, writing files to attacker-controlled locations — commonly web-shell paths under Jetty or cron directories.
  5. Post-Exploitation: The attacker interacts with the planted web shell or scheduled task to establish persistence and move laterally.

Ethics caveat: This description is intentionally generic and omits working exploit code. It is provided for detection-engineering and patching prioritisation only. Do not attempt against systems you do not own.

Affected and Patched Versions

Affected

  • Zimbra Collaboration Suite 8.8.15 (all patches through p30)
  • Zimbra Collaboration Suite 9.0.0 (all patches through p23)

Patched

  • Upgrade to Zimbra 9.0.0 Patch 24 or later
  • Zimbra 8.8.15 users should migrate to a supported release line or apply the vendor's security hotfix if available

Refer to the Zimbra Security Advisories wiki and the 9.0.0/P24 release notes for definitive patch guidance.

Remediation

  1. Upgrade immediately. Apply Patch 24 (or later) for the 9.0 branch. If you are on 8.8.15, plan a migration to a supported version.
  2. Restrict admin access. Enforce multi-factor authentication (MFA) on all admin accounts, limit admin console exposure to bastion hosts or VPN-only ranges, and monitor for impossible-travel logins.
  3. Input validation (compensating control). If patching is delayed, consider placing a reverse proxy or WAF rule that inspects ZIP uploads to the mboximport endpoint and blocks archives containing path-traversal sequences in entry names.
  4. Principle of least privilege. Review whether all current admin users genuinely require full administrative rights; delegate role-based access where possible.

Detection

  • File-integrity monitoring (FIM): Alert on unexpected writes under /opt/zimbra/jetty/webapps/ or system directories such as /etc/cron.d/.
  • Web-proxy / WAF logs: Look for unusual POST requests to mboximport endpoints from non-bastion IPs, especially outside change windows.
  • Endpoint detection: Monitor for child processes spawned by the Zimbra Java process (Jetty) that execute shells or interpreters.
  • YARA / SIGMA: Hunt for web shells in Zimbra web roots with low file-age or anomalous entropy.
  • CISA KEV correlation: Ensure this CVE ID is present in your vulnerability-scanner coverage and remediation SLAs (CISA mandates federal agencies patch KEVs within aggressive timelines).

Assessment

CVE-2022-27925 is a textbook archive-extraction path-traversal flaw, elevated to critical real-world importance by its 98.16% EPSS score and confirmed ransomware exploitation. While the PR:H requirement offers some mitigation, organisations that rely on Zimbra for email and collaboration must treat this as a high-priority patch. The key lesson is that archive extraction is a dangerous primitive — any code that unpacks user-supplied ZIP, TAR, or 7z files must validate every entry path against a strict allow-list or canonical base directory. The second lesson is that admin consoles are high-value targets; MFA and network segmentation are not optional defences for mail-server infrastructure.

References

Frequently asked questions

What is CVE-2022-27925?
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
How severe is CVE-2022-27925?
CVE-2022-27925 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-27925 being actively exploited?
Yes. CVE-2022-27925 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-27925?
CVE-2022-27925 primarily affects Synacor Zimbra Collaboration Suite. In total, 55 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-27925?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-27925 have an EU (EUVD) identifier?
Yes. CVE-2022-27925 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-32413. It is also flagged as exploited in the EUVD (since 2022-08-11).
When was CVE-2022-27925 published?
CVE-2022-27925 was published on 2022-04-21 and last updated on 2026-06-17.

References

Affected products (55)

More vulnerabilities in Synacor Zimbra Collaboration Suite

All CVEs affecting Synacor Zimbra Collaboration Suite →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →