CVE-2022-37042

CRITICAL KEV RANSOMWARE NUCLEI

Zimbra Collaboration Suite 8.8.15/9.0 - Path Traversal & RCE via mboximport

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-37042 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 11, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including 0xf4n9x, aels, GreyNoise-Intelligence, including a Metasploit module exploits/linux/http/zimbra_mboximport_cve_2022_27925. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Go-based exploit for CVE-2022-37042, which targets an authentication bypass in Zimbra Collaboration Suite leading to remote code execution via arbitrary file upload. The tool supports both vulnerability scanning and exploitation, including webshell upload capabilities.

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

Exploits (5)

nomisec WORKING POC 30 stars
by 0xf4n9x · remote
https://github.com/0xf4n9x/CVE-2022-37042

This repository contains a functional Go-based exploit for CVE-2022-37042, which targets an authentication bypass in Zimbra Collaboration Suite leading to remote code execution via arbitrary file upload. The tool supports both vulnerability scanning and exploitation, including webshell upload capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite 8.8.15 and 9.0
No auth needed
Prerequisites: Network access to vulnerable Zimbra instance · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 21 stars
by aels · remote
https://github.com/aels/CVE-2022-37042

This repository contains a functional Nuclei template for CVE-2022-37042, which exploits an unauthenticated RCE vulnerability in Zimbra Collaboration Suite via mboximport functionality. The template uploads a malicious ZIP archive to achieve directory traversal and remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite 8.8.15 and 9.0
No auth needed
Prerequisites: Access to the target Zimbra server · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by GreyNoise-Intelligence · poc
https://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925

This repository contains a functional exploit for CVE-2022-37042, a vulnerability in Zimbra Collaboration Suite. The exploit leverages a path traversal flaw to upload a malicious JSP shell, achieving remote code execution (RCE) on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite
No auth needed
Prerequisites: Network access to the Zimbra server · Zimbra server with vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 2 stars
by Pr0t0c01 · pythonpoc
https://github.com/Pr0t0c01/CVEs/tree/main/Zimbra_CVE-2022-37042

The repository provides a detailed description of CVE-2022-37042, an RCE and path traversal vulnerability in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0, stemming from an incomplete fix for CVE-2022-27925. It includes technical context, affected versions, and detection methods like Shodan/FoFa dorks and Nuclei scanning templates.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0
No auth needed
Prerequisites: Access to the mboximport functionality · Ability to craft a malicious ZIP archive
devstral-2 · analyzed Feb 27, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Volexity Threat Research, Yang_99, , # PoC · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb

This Metasploit module exploits a path traversal vulnerability in Zimbra Collaboration Suite's ZIP implementation (CVE-2022-27925) to upload a JSP-based backdoor. It sends a malicious ZIP file via POST request to the mboximport endpoint, extracts the payload to a traversed path, and triggers execution via HTTP GET.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier), 8.8.15 Patch 30 (and earlier)
Auth required
Prerequisites: Valid admin credentials for the Zimbra server · Network access to the Zimbra admin interface (port 7071)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution
CRITICALby _0xf4n9x_,For3stCo1d
Shodan: http.favicon.hash:"1624375939" || http.favicon.hash:"475145467"
FOFA: app="zimbra-邮件系统" || icon_hash="475145467" || icon_hash="1624375939"

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html

Scores

CVSS v3 9.8
EPSS 0.9433
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-08-11
VulnCheck KEV 2022-08-10
InTheWild.io 2022-08-11
ENISA EUVD EUVD-2022-39696
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (2)
synacor/zimbra_collaboration_suite 8.8.15 (34 CPE variants)
synacor/zimbra_collaboration_suite 9.0.0 (16 CPE variants)
Published Aug 12, 2022
KEV Added Aug 11, 2022
Tracked Since Feb 18, 2026