The popularity of Synacor Zimbra Collaboration Suite (ZCS) has made it a frequent target for cyberattacks, particularly those exploiting Server-Side Request Forgery (SSRF) vulnerabilities. SSRF flaws can allow attackers to manipulate the server into making unauthorized requests to internal or external systems, potentially exposing sensitive data or enabling further exploitation such as remote code execution (RCE). Today, CISA added CVE-2019-9621 (an SSRF vulnerability in ZCS) to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation.
Key Vulnerabilities Identified
CVE-2024-45518
This vulnerability affects several versions of ZCS, specifically:
- ZCS 10.1.x before 10.1.1
- 10.0.x before 10.0.9
- 9.0.0 before Patch 41
- 8.8.15 before Patch 46
Due to improper input sanitization and misconfigured domain whitelisting, authenticated users can craft malicious requests that the server forwards to internal services. If combined with other vulnerabilities, such as command injection or cross-site scripting (XSS), this flaw can lead to remote code execution. The impact includes unauthorized access to internal resources and a significant threat to the confidentiality, integrity, and availability of the system.
CVE-2025-25065
This SSRF vulnerability is present in:
- Zimbra Collaboration 9.0.0 before Patch 43
- 10.0.x before 10.0.12
- 10.1.x before 10.1.4
It occurs in the RSS feed parser, allowing attackers to redirect requests to internal network endpoints. This can expose sensitive internal services to unauthorized access and is considered easy to exploit, even remotely.
CVE-2019-9621
Affecting older versions of ZCS, this vulnerability is found in the ProxyServlet component:
- Versions before 8.6 patch 13
- 8.7.x before 8.7.11 patch 10
- 8.8.x before 8.8.10 patch 7 or 8.8.11 patch 3
CVE-2019-9621 allows unauthenticated attackers to perform SSRF attacks, potentially leading to data leaks or remote code execution. This vulnerability is particularly concerning due to its high likelihood of exploitation in the wild.
Attack Scenarios
SSRF vulnerabilities can be leveraged in several ways:
- Internal Service Access: Attackers may use SSRF to interact with internal services not intended for external exposure, such as databases or administrative interfaces.
- Chained Exploits: When combined with other vulnerabilities, SSRF can facilitate full system compromise.
- Email-Based Attacks: Some exploits have used crafted emails to trigger SSRF and subsequent command execution on vulnerable servers.
Mitigation and Best Practices
Patch Management
Zimbra has released patches to address these SSRF vulnerabilities. Administrators are strongly advised to update their ZCS installations to the latest secure versions as outlined in the relevant security advisories.
Monitoring and Detection
Given that these vulnerabilities have been actively exploited and are listed in the CISA Known Exploited Vulnerabilities Catalog, organizations should monitor their Zimbra server logs for suspicious activity and signs of exploitation.
