CVE-2022-37042

CVE-2022-37042 is a critical-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-11). The underlying weakness is classified as CWE-22.

Key facts

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

CVE-2022-37042: Zimbra Collaboration Suite Unauthenticated Path Traversal and RCE via mboximport

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-37042
CVSS v3.1 9.8 (Critical)
EPSS 0.88256 (88.26%)
KEV Yes (since 2022-08-11)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Published 2022-08-12

Summary

Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 contain a vulnerability in the mboximport functionality that receives and extracts ZIP archives. An attacker can bypass authentication and upload arbitrary files to the system, resulting in directory traversal and remote code execution. This vulnerability exists because of an incomplete fix for CVE-2022-27925.

Background

Zimbra Collaboration Suite is an enterprise email and collaboration platform widely deployed in organizations for messaging, calendaring, and document management. The mboximport feature is designed to allow administrators or users to import mailbox data from mbox format files, often packaged as ZIP archives for convenience. The functionality processes these archives server-side, extracting contents to appropriate directories within the Zimbra deployment.

Root Cause

The root cause is CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The mboximport ZIP extraction routine fails to properly validate the filenames within the archive. Specifically, the incomplete fix for CVE-2022-27925 did not adequately restrict the extraction path, allowing malicious ZIP entries containing directory traversal sequences (e.g., ../) to write files outside the intended destination directory. Combined with the lack of authentication requirements on the mboximport endpoint, this allows unauthenticated attackers to place arbitrary files anywhere on the filesystem accessible to the Zimbra process.

Impact

This vulnerability is rated Critical with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H):

  • Confidentiality Impact (HIGH): An attacker can read sensitive system files or user data.
  • Integrity Impact (HIGH): Arbitrary file writes enable modification of system configuration, web application files, or executable content.
  • Availability Impact (HIGH): System compromise can lead to denial of service or complete system takeover.
  • Attack Vector: Network — exploitable remotely without authentication.
  • Attack Complexity: Low — no special conditions or user interaction required.

Exploitation Walkthrough

Ethics Caveat: This section describes the vulnerability mechanism from a defensive perspective only. No working exploit code is provided. Attempting to exploit systems without authorization is illegal and unethical.

An attacker crafts a ZIP archive containing files with path traversal sequences in their names. The archive is submitted to the mboximport endpoint without authentication. During server-side extraction, the traversal sequences cause files to be written outside the intended import directory. By placing a web shell or modifying executable scripts in a web-accessible path, the attacker achieves remote code execution.

Affected and Patched Versions

Affected Versions:

  • Zimbra Collaboration Suite 8.8.15 (all patch levels through p32)
  • Zimbra Collaboration Suite 9.0 (all patch levels through p25, including p24.1)

Patched Versions:
Patch information is not specified in the available source data. Organizations should consult the Zimbra Security Advisories and apply the latest vendor-recommended patches.

Remediation

  1. Upgrade: Apply the latest Zimbra security patches as recommended by the vendor. Prioritize patching externally exposed instances.
  2. Compensating Controls:
    • Restrict network access to the Zimbra administration and mboximport interfaces using firewall rules or VPN requirements.
    • Implement Web Application Firewall (WAF) rules to block ZIP uploads containing path traversal patterns.
    • Monitor for unauthorized access attempts to the mboximport endpoint.
    • Validate that extraction routines enforce strict path confinement and reject archive entries with ../ or absolute paths.

Detection

  • Monitor web server and application logs for unauthenticated POST requests to mboximport endpoints.
  • Alert on file system changes in web-accessible directories or unexpected file creation outside of expected Zimbra paths.
  • Use intrusion detection systems (IDS) signatures for known Zimbra exploitation patterns.
  • Review CISA's Known Exploited Vulnerabilities catalog for threat intelligence updates.

Assessment

With an EPSS score of 0.88256 (88.26% probability of exploitation) and inclusion in both the CISA KEV catalog and the EU Vulnerability Database as actively exploited since August 11, 2022, this vulnerability presents an extremely high and well-documented risk. The unauthenticated network-accessible attack vector and the critical CVSS score make this a priority patching item.

Key Lessons:

  1. Incomplete fixes are dangerous: Vulnerability patches must be thoroughly audited to ensure the root cause is fully addressed, not just the known exploitation path.
  2. Input validation is critical: All archive extraction routines must strictly validate entry paths against a whitelist of allowed directories.

References

Frequently asked questions

What is CVE-2022-37042?
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
How severe is CVE-2022-37042?
CVE-2022-37042 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-37042 being actively exploited?
Yes. CVE-2022-37042 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-37042?
CVE-2022-37042 primarily affects Synacor Zimbra Collaboration Suite. In total, 61 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-37042?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-37042 have an EU (EUVD) identifier?
Yes. CVE-2022-37042 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-39696. It is also flagged as exploited in the EUVD (since 2022-08-11).
When was CVE-2022-37042 published?
CVE-2022-37042 was published on 2022-08-12 and last updated on 2026-06-17.

References

Affected products (61)

More vulnerabilities in Synacor Zimbra Collaboration Suite

All CVEs affecting Synacor Zimbra Collaboration Suite →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →