CVE-2022-37042
CVE-2022-37042 is a critical-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-11). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-08-11)
- EU (EUVD) id: EUVD-2022-39696
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-08-11)
- Weakness: CWE-22
- Affected product: Synacor Zimbra Collaboration Suite
- Published:
- Last modified:
Description
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
CVE-2022-37042: Zimbra Collaboration Suite Unauthenticated Path Traversal and RCE via mboximport
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-37042 |
| CVSS v3.1 | 9.8 (Critical) |
| EPSS | 0.88256 (88.26%) |
| KEV | Yes (since 2022-08-11) |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| Published | 2022-08-12 |
Summary
Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 contain a vulnerability in the mboximport functionality that receives and extracts ZIP archives. An attacker can bypass authentication and upload arbitrary files to the system, resulting in directory traversal and remote code execution. This vulnerability exists because of an incomplete fix for CVE-2022-27925.
Background
Zimbra Collaboration Suite is an enterprise email and collaboration platform widely deployed in organizations for messaging, calendaring, and document management. The mboximport feature is designed to allow administrators or users to import mailbox data from mbox format files, often packaged as ZIP archives for convenience. The functionality processes these archives server-side, extracting contents to appropriate directories within the Zimbra deployment.
Root Cause
The root cause is CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The mboximport ZIP extraction routine fails to properly validate the filenames within the archive. Specifically, the incomplete fix for CVE-2022-27925 did not adequately restrict the extraction path, allowing malicious ZIP entries containing directory traversal sequences (e.g., ../) to write files outside the intended destination directory. Combined with the lack of authentication requirements on the mboximport endpoint, this allows unauthenticated attackers to place arbitrary files anywhere on the filesystem accessible to the Zimbra process.
Impact
This vulnerability is rated Critical with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H):
- Confidentiality Impact (HIGH): An attacker can read sensitive system files or user data.
- Integrity Impact (HIGH): Arbitrary file writes enable modification of system configuration, web application files, or executable content.
- Availability Impact (HIGH): System compromise can lead to denial of service or complete system takeover.
- Attack Vector: Network — exploitable remotely without authentication.
- Attack Complexity: Low — no special conditions or user interaction required.
Exploitation Walkthrough
Ethics Caveat: This section describes the vulnerability mechanism from a defensive perspective only. No working exploit code is provided. Attempting to exploit systems without authorization is illegal and unethical.
An attacker crafts a ZIP archive containing files with path traversal sequences in their names. The archive is submitted to the mboximport endpoint without authentication. During server-side extraction, the traversal sequences cause files to be written outside the intended import directory. By placing a web shell or modifying executable scripts in a web-accessible path, the attacker achieves remote code execution.
Affected and Patched Versions
Affected Versions:
- Zimbra Collaboration Suite 8.8.15 (all patch levels through p32)
- Zimbra Collaboration Suite 9.0 (all patch levels through p25, including p24.1)
Patched Versions:
Patch information is not specified in the available source data. Organizations should consult the Zimbra Security Advisories and apply the latest vendor-recommended patches.
Remediation
- Upgrade: Apply the latest Zimbra security patches as recommended by the vendor. Prioritize patching externally exposed instances.
- Compensating Controls:
- Restrict network access to the Zimbra administration and mboximport interfaces using firewall rules or VPN requirements.
- Implement Web Application Firewall (WAF) rules to block ZIP uploads containing path traversal patterns.
- Monitor for unauthorized access attempts to the mboximport endpoint.
- Validate that extraction routines enforce strict path confinement and reject archive entries with
../or absolute paths.
Detection
- Monitor web server and application logs for unauthenticated POST requests to mboximport endpoints.
- Alert on file system changes in web-accessible directories or unexpected file creation outside of expected Zimbra paths.
- Use intrusion detection systems (IDS) signatures for known Zimbra exploitation patterns.
- Review CISA's Known Exploited Vulnerabilities catalog for threat intelligence updates.
Assessment
With an EPSS score of 0.88256 (88.26% probability of exploitation) and inclusion in both the CISA KEV catalog and the EU Vulnerability Database as actively exploited since August 11, 2022, this vulnerability presents an extremely high and well-documented risk. The unauthenticated network-accessible attack vector and the critical CVSS score make this a priority patching item.
Key Lessons:
- Incomplete fixes are dangerous: Vulnerability patches must be thoroughly audited to ensure the root cause is fully addressed, not just the known exploitation path.
- Input validation is critical: All archive extraction routines must strictly validate entry paths against a whitelist of allowed directories.
References
Frequently asked questions
- What is CVE-2022-37042?
- Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
- How severe is CVE-2022-37042?
- CVE-2022-37042 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-37042 being actively exploited?
- Yes. CVE-2022-37042 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-37042?
- CVE-2022-37042 primarily affects Synacor Zimbra Collaboration Suite. In total, 61 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-37042?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-37042 have an EU (EUVD) identifier?
- Yes. CVE-2022-37042 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-39696. It is also flagged as exploited in the EUVD (since 2022-08-11).
- When was CVE-2022-37042 published?
- CVE-2022-37042 was published on 2022-08-12 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-37042
Affected products (61)
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p30:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p31.1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p32:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*
More vulnerabilities in Synacor Zimbra Collaboration Suite
- CVE-2024-45519 — Critical (CVSS 10.0): The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before…
- CVE-2022-41352 — Critical (CVSS 9.8): An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through…
- CVE-2020-7796 — Critical (CVSS 9.8): Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is…
- CVE-2019-9670 — Critical (CVSS 9.8): mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection…
- CVE-2019-6980 — Critical (CVSS 9.8): Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
- CVE-2018-20160 — Critical (CVSS 9.8): ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8…
All CVEs affecting Synacor Zimbra Collaboration Suite →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…