CVE-2022-37042: 
Zimbra Collaboration Server vulnerability analysis and mitigation

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 contains a critical authentication bypass vulnerability (CVE-2022-37042) in the mboximport functionality. This vulnerability exists because of an incomplete fix for CVE-2022-27925, allowing an unauthenticated attacker to upload arbitrary files to the system, leading to directory traversal and remote code execution (NVD, Volexity).

The vulnerability exists in the MailboxImportServlet function, which receives and extracts files from ZIP archives. The authentication check in the code sets an error message but lacks a return statement, allowing subsequent code execution regardless of authentication status. This enables attackers to bypass authentication and upload malicious files by sending specially crafted requests to the mboximport endpoint (Volexity). The vulnerability has a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to gain unauthorized access to ZCS instances and upload arbitrary files, potentially leading to remote code execution. Research identified over 1,000 compromised ZCS instances worldwide, affecting government departments, military branches, and businesses of various sizes. The compromised systems could expose sensitive email data and allow attackers to maintain persistent access through webshells (Volexity).

Zimbra has patched the vulnerability in versions 9.0.0P26 and 8.8.15P33. Organizations running ZCS should immediately upgrade to these or newer versions. If systems were not patched before the end of May 2022, they should be considered potentially compromised and undergo thorough security analysis, including memory acquisition, log inspection, and examination of the Zimbra users directory for webshells (Volexity).

The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by September 1, 2022. Security researchers highlighted the severity of the vulnerability, particularly due to its unauthenticated nature and widespread exploitation (NVD).