CVE-2022-37042

CVE Database · CVE-2022-37042

CVE-2022-37042

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

88.26%

Published

Aug 12, 2022

Modified

Nov 4, 2025

CISA Known Exploited Vulnerability

Added: 2022-08-11 · Due: 2022-09-01

Apply updates per vendor instructions.

Public PoC / Exploit (5)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoC0xf4n9x/CVE-2022-37042★29 GitHub PoCaels/CVE-2022-37042★19 GitHub PoCGreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925★7

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-22CWE-22

Affected Products (61)

synacor · zimbra_collaboration_suitevulnerable