CVE-2019-9670

CRITICAL KEV NUCLEI

Synacor Zimbra Collaboration Suite <8.7.11p10 - XXE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-9670 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022. EIP tracks 6 public exploits from researchers including Metasploit, rek7, attackgithub, including a Metasploit module exploits/linux/http/zimbra_xxe_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-9670 and CVE-2019-9621 in Zimbra Collaboration Suite, chaining XXE and SSRF vulnerabilities to achieve unauthenticated remote code execution via a JSP webshell upload.

Description

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/46693

This Metasploit module exploits CVE-2019-9670 and CVE-2019-9621 in Zimbra Collaboration Suite, chaining XXE and SSRF vulnerabilities to achieve unauthenticated remote code execution via a JSP webshell upload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zimbra Collaboration Suite v8.5 to v8.7.11
No auth needed
Prerequisites: Network access to Zimbra's web interface (port 8443) · Zimbra Collaboration Suite v8.5 to v8.7.11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 27 stars
by rek7 · remote
https://github.com/rek7/Zimbra-RCE

This is a functional exploit for CVE-2019-9670, targeting Zimbra's Autodiscover Servlet XXE and ProxyServlet SSRF vulnerabilities. It extracts credentials via XXE, escalates privileges via SSRF to obtain an admin token, and uploads a payload for RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra <= 8.7.0 and 8.7.11
No auth needed
Prerequisites: Network access to Zimbra server · DTD hosted on attacker-controlled server · Payload file for upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by attackgithub · remote
https://github.com/attackgithub/Zimbra-RCE

This is a functional exploit for CVE-2019-9670, targeting Zimbra's Autodiscover Servlet XXE and ProxyServlet SSRF vulnerabilities. It extracts credentials via XXE, escalates privileges via SSRF to obtain an admin token, and uploads a payload for RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra <= 8.7.0 and 8.7.11
No auth needed
Prerequisites: Network access to Zimbra instance · DTD hosted on attacker-controlled server · Payload file for upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by Cappricio-Securities · poc
https://github.com/Cappricio-Securities/CVE-2019-9670

This repository contains a Python-based scanner for detecting CVE-2019-9670, a vulnerability in Zimbra Collaboration Suite. The tool checks for the presence of the vulnerability by sending a crafted request and analyzing the response for specific indicators.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zimbra Collaboration Suite
No auth needed
Prerequisites: Network access to the target Zimbra server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Phuong39 · poc
https://github.com/Phuong39/zaber

This is a Golang-based exploit for CVE-2019-9670, an XXE vulnerability in Zimbra Collaboration 8.7.X < 8.7.11p10. It sends a crafted XML payload to read the /etc/passwd file and checks for vulnerability.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Zimbra Collaboration 8.7.X < 8.7.11p10
No auth needed
Prerequisites: Network access to the target Zimbra server · Go installed for compilation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by An Trinh, Khanh Viet Pham, Jacob Robles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_xxe_rce.rb

This Metasploit module exploits CVE-2019-9670, an XXE vulnerability in Zimbra Collaboration Suite, to achieve unauthenticated remote code execution by chaining XXE, SSRF, and file upload techniques.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Zimbra Collaboration Suite v8.5 to v8.7.11
No auth needed
Prerequisites: Network access to Zimbra server · Zimbra server running a vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
CRITICALby ree4pwn
Shodan: http.title:"zimbra collaboration suite" || http.title:"zimbra web client sign in"
FOFA: title="zimbra web client sign in" || title="zimbra collaboration suite"

References (7)

Core 7
Core References
Broken Link, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.zimbra.com/show_bug.cgi?id=109129
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46693/

Scores

CVSS v3 9.8
EPSS 0.9440
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-01-10
VulnCheck KEV 2020-07-16
InTheWild.io 2019-04-03
ENISA EUVD EUVD-2019-19036
CWE
CWE-611
Status published
Products (2)
synacor/zimbra_collaboration_suite 8.7.11 (10 CPE variants)
synacor/zimbra_collaboration_suite 8.7.0 - 8.7.11
Published May 29, 2019
KEV Added Jan 10, 2022
Tracked Since Feb 18, 2026