Zimbra ZCS - Remote Code Execution (CVE-2022-27925, CVE-2022-37042)

Zimbra is affected by an Authentication Bypass and an Arbitrary File Upload vulnerabilities that can lead to a Directory Traversal attack, in which an attacker can upload a ZIP archive that contains a webshell file. The root cause of these vulnerabilities is in the mboximport functionality. Although this was initially marked as an authenticated vulnerability, where you must have an administrative session to upload the ZIP file, an authentication bypass was found later that move the overall vulnerability to an unauthenticated remote code execution. Versions affected are 8.8.15 and 9.0.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

The risk exists that a remote unauthenticated attacker can fully compromise the Zimbra server to steal confidential information, install ransomware, or pivot to the internal network.

Upgrade the Zimbra server to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2022-37042

https://nvd.nist.gov/vuln/detail/CVE-2022-27925