CVE-2019-9621

HIGH KEV NUCLEI

Zimbra Collaboration Suite <8.6-8.8 - SSRF

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-9621 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 7, 2025. EIP tracks 4 public exploits from researchers including Metasploit, k8gege, An Trinh, Khanh Viet Pham, Jacob Robles, including a Metasploit module exploits/linux/http/zimbra_xxe_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-9670 and CVE-2019-9621 in Zimbra Collaboration Suite, chaining XXE and SSRF vulnerabilities to achieve unauthenticated remote code execution via a JSP webshell upload.

Description

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/46693

This Metasploit module exploits CVE-2019-9670 and CVE-2019-9621 in Zimbra Collaboration Suite, chaining XXE and SSRF vulnerabilities to achieve unauthenticated remote code execution via a JSP webshell upload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zimbra Collaboration Suite v8.5 to v8.7.11
No auth needed
Prerequisites: Network access to Zimbra's web interface (port 8443) · Zimbra Collaboration Suite v8.5 to v8.7.11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by k8gege · pythonwebappsjsp
https://www.exploit-db.com/exploits/46967

This exploit leverages an XXE vulnerability (CVE-2019-9621) in Zimbra Collaboration Suite to extract credentials, perform SSRF to obtain an admin token, and upload a malicious JSP shell for remote code execution. The PoC is functional and demonstrates a multi-stage attack chain.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite
No auth needed
Prerequisites: Network access to the target Zimbra instance · Target must be vulnerable to XXE and SSRF
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 78 stars
by k8gege · remote
https://github.com/k8gege/ZimbraExploit

This repository contains a working exploit for CVE-2019-9621, targeting Zimbra Collaboration Suite versions <8.8.11. The exploit chains XXE (XML External Entity) and SSRF (Server-Side Request Forgery) vulnerabilities to achieve unauthenticated remote code execution (RCE) by uploading a JSP webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite <8.8.11
No auth needed
Prerequisites: Network access to the Zimbra server · Zimbra server version <8.8.11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by An Trinh, Khanh Viet Pham, Jacob Robles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_xxe_rce.rb

This Metasploit module exploits CVE-2019-9621, an XXE vulnerability in Zimbra Collaboration Suite's Autodiscover Servlet, combined with SSRF in the ProxyServlet to achieve unauthenticated remote code execution. It chains multiple steps: XXE to leak LDAP credentials, SSRF to escalate to admin, and file upload for JSP shell deployment.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zimbra Collaboration Suite v8.5 to v8.7.11
No auth needed
Prerequisites: Network access to Zimbra's web interface (port 8443) · No authentication required
devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

Zimbra Collaboration Suite - SSRF
HIGHVERIFIEDby riteshs4hu
Shodan: html:"Zimbra Collaboration Suite Web Client"

References (10)

Core 10
Core References
Vendor Advisory x_refsource_confirm
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Release Notes, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center
Issue Tracking x_refsource_misc
https://bugzilla.zimbra.com/show_bug.cgi?id=109127
Exploit, Third Party Advisory x_refsource_misc
http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46693/
Vendor Advisory x_refsource_misc
https://blog.zimbra.com/2019/03/9826/

Scores

CVSS v3 7.5
EPSS 0.9411
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2025-07-07
VulnCheck KEV 2023-09-18
InTheWild.io 2021-12-04
ENISA EUVD EUVD-2019-18992
CWE
CWE-918
Status published
Products (6)
synacor/zimbra_collaboration_suite 8.6.0 (13 CPE variants)
synacor/zimbra_collaboration_suite 8.7.11 (11 CPE variants)
synacor/zimbra_collaboration_suite 8.8.9 (10 CPE variants)
synacor/zimbra_collaboration_suite 8.8.10 (7 CPE variants)
synacor/zimbra_collaboration_suite 8.8.11 (4 CPE variants)
synacor/zimbra_collaboration_suite < 8.6.0
Published Apr 30, 2019
KEV Added Jul 07, 2025
Tracked Since Feb 18, 2026