CVE-2022-41352

CRITICAL KEV RANSOMWARE NUCLEI

Zimbra Collaboration <9.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-41352 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 20, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Cr4ckC4t, segfault-it, qailanet. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a working exploit for CVE-2022-41352, an arbitrary file write vulnerability in Zimbra mail servers due to a vulnerable `cpio` version. The exploit crafts a malicious tar file to achieve unauthenticated remote code execution by writing a JSP webshell to the target server.

Description

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

Exploits (3)

nomisec WORKING POC 105 stars
by Cr4ckC4t · poc
https://github.com/Cr4ckC4t/cve-2022-41352-zimbra-rce

This is a working exploit for CVE-2022-41352, an arbitrary file write vulnerability in Zimbra mail servers due to a vulnerable `cpio` version. The exploit crafts a malicious tar file to achieve unauthenticated remote code execution by writing a JSP webshell to the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zimbra Collaboration Suite <9.0.0.p27, <8.8.15.p34
No auth needed
Prerequisites: Network access to the Zimbra SMTP service · Target server must be running a vulnerable version of Zimbra
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by segfault-it · client-side
https://github.com/segfault-it/cve-2022-41352

This PoC exploits CVE-2022-41352, a path traversal vulnerability in cpio, by crafting a malicious tar archive with a symlink that extracts files outside the intended directory. The script generates a tar file with a symlink pointing to a parent directory, demonstrating arbitrary file write capabilities.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: cpio (versions affected by CVE-2022-41352)
No auth needed
Prerequisites: Ability to execute cpio on the target system · Write access to a directory where the malicious tar can be extracted
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zimbra Collaboration - Unrestricted File Upload
CRITICALby rxerium
Shodan: http.favicon.hash:"1624375939" || http.html:"Zimbra Collaboration Suite Web Client"
FOFA: icon_hash="1624375939"

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.9396
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-10-20
VulnCheck KEV 2022-10-20
InTheWild.io 2022-10-06
ENISA EUVD EUVD-2022-44557
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (2)
synacor/zimbra_collaboration_suite 9.0.0 (28 CPE variants)
synacor/zimbra_collaboration_suite 8.8.15 (22 CPE variants)
Published Sep 26, 2022
KEV Added Oct 20, 2022
Tracked Since Feb 18, 2026