In August 2022, CISA added CVE-2022-37042 to its Known Exploited Vulnerabilities catalog, flagging active exploitation of a critical authentication bypass in Zimbra Collaboration Suite. The vulnerability, when chained with a previously disclosed directory traversal bug (CVE-2022-27925), allowed unauthenticated remote code execution on Zimbra email servers. Researchers at Volexity found that over 1,000 Zimbra instances worldwide had already been compromised with web shells by the time the advisory was published.
Zimbra in the Wild
Zimbra Collaboration Suite is an email and collaboration platform used by over 200,000 organizations, including government agencies, educational institutions, and businesses. It's particularly popular in regions and organizations where Microsoft Exchange or Google Workspace isn't adopted — either due to cost, licensing, sovereignty requirements, or preference for open-source solutions.
Zimbra servers handle email, calendars, contacts, and file storage. They contain the same sensitive data as any email server: internal communications, business negotiations, personal information, attachments with contracts and financial data, and credentials shared via email (which, despite everyone knowing better, still happens constantly).
The Vulnerability Chain
CVE-2022-37042 is an authentication bypass that allows access to authenticated functionality without valid credentials. By itself, it provides access to certain Zimbra endpoints that should require authentication. But when combined with CVE-2022-27925 — a directory traversal vulnerability in the mboximport endpoint — the chain enables unauthenticated remote code execution.
Here's how the attack worked:
Step 1: The attacker sends a request to the mboximport endpoint, which normally requires authentication to import mailbox data.
Step 2: CVE-2022-37042 bypasses the authentication requirement, allowing the request to proceed without valid credentials.
Step 3: The mboximport functionality includes a file upload capability. CVE-2022-27925 allows the attacker to control the destination path, traversing outside the intended import directory.
Step 4: The attacker uploads a JSP web shell to Zimbra's web root directory.
Step 5: The attacker accesses the web shell through Zimbra's web interface, gaining persistent remote command execution on the server.
The entire chain could be automated and executed in seconds. No credentials, no user interaction, no complex exploit development.
The Scale of Compromise
Volexity's research, published in August 2022, revealed the extent of the damage:
- Over 1,000 Zimbra instances worldwide had been compromised
- Web shells were found on servers belonging to government agencies, military organizations, and corporations
- Some compromises dated back weeks or months before the advisory
- Many compromised servers showed evidence of email data exfiltration
The geographic distribution was global, with significant clusters in Asia, Europe, and North America. The attackers appeared to be conducting broad, opportunistic scanning followed by selective exploitation of high-value targets.
Post-Compromise Activity
Once attackers had web shell access, the observed activities included:
Email harvesting: Attackers used the web shell to access the Zimbra mailstore directly, exfiltrating emails from targeted mailboxes. This is the primary objective in espionage-motivated attacks.
Credential theft: Zimbra stores LDAP credentials and mail account passwords. Compromised servers provided access to authentication credentials that could be used for lateral movement.
Persistent access: Multiple web shells were deployed to ensure continued access even if one was discovered. Some attackers also created new admin accounts within Zimbra itself.
Proxy/relay usage: Compromised Zimbra servers were used as proxies for further attacks, masking the attacker's true origin.
The Patch Gap
CVE-2022-27925, the directory traversal component, was patched in Zimbra 8.8.15 Patch 31 and 9.0.0 Patch 24, released in May 2022. However, the advisory described it as requiring authentication to exploit, so many organizations deprioritized the patch. CVE-2022-37042, the authentication bypass that made CVE-2022-27925 exploitable without credentials, wasn't patched until later.
This created a dangerous window where:
- Organizations that patched promptly in May were protected (even without knowing about the auth bypass)
- Organizations that deprioritized the patch because it "required authentication" were fully exposed when the auth bypass was chained
The lesson is clear: any vulnerability in an internet-facing service should be treated with urgency, regardless of whether it appears to require authentication. Authentication bypasses are commonly found alongside authenticated vulnerabilities, and the chain is always worse than the sum of its parts.
Why Email Servers Are Prime Targets
Email servers remain among the highest-value targets for both nation-state actors and cybercriminals:
Data richness: Email contains everything — business strategy, legal communications, personal data, financial records, and intellectual property. Compromising an email server is often equivalent to compromising the entire organization's communications.
Internet exposure: Email servers must accept connections from the internet. Unlike internal applications that can be hidden behind VPNs, email servers have to be reachable.
Complex software: Email servers like Zimbra, Exchange, and GroupWise are complex applications with large codebases, numerous features, and extensive attack surfaces.
Persistence of access: Unlike a compromised workstation that might be reimaged, a compromised email server continues receiving new, valuable data as long as the compromise is maintained.
Lessons for Email Server Security
1. Patch Email Servers Immediately
Every patch for an internet-facing email server should be treated as critical, regardless of the stated severity. The gap between "authenticated only" and "unauthenticated" is often just one additional CVE.
2. Monitor for Web Shells
Regular scans of the web root directories for unexpected files — particularly JSP, ASPX, or PHP files with recent timestamps — can detect post-exploitation artifacts. File integrity monitoring on these directories provides real-time detection.
3. Implement Network-Level Protections
WAF rules can detect and block common web shell upload patterns and directory traversal sequences. Rate limiting on authentication endpoints can slow brute-force and exploitation attempts.
4. Consider Email as a Service
Self-hosted email servers carry inherent risk. Organizations that lack the resources to patch, monitor, and secure email infrastructure should seriously consider cloud-hosted alternatives where the provider handles security updates.
How Safeguard.sh Helps
Safeguard.sh provides the visibility needed to protect email infrastructure and other internet-facing services:
- Vulnerability Chain Detection: Safeguard.sh identifies not just individual CVEs but also known exploit chains, ensuring that seemingly moderate vulnerabilities are properly prioritized when they can be combined for greater impact.
- Internet-Facing Service Monitoring: Safeguard.sh tracks the exposure of services like Zimbra, alerting you when critical patches are available for internet-facing components.
- Software Composition Analysis: By analyzing the components within Zimbra and similar platforms, Safeguard.sh identifies vulnerabilities at every layer, from the application to its underlying libraries.
- Continuous Compliance: Safeguard.sh helps maintain the security posture of email infrastructure, providing evidence of patching and monitoring for regulatory compliance.
CVE-2022-37042 showed how a chain of vulnerabilities can turn an email server into an open door. Safeguard.sh ensures every link in that chain is visible and addressed.