Unrated severityCISA KEVNVD Advisory· Published Aug 11, 2022· Updated Oct 21, 2025

CVE-2022-37042

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

Affected products

Zimbra/Collaboration Suitedescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlmitrex_refsource_MISC
wiki.zimbra.com/wiki/Security_Centermitrex_refsource_MISC
wiki.zimbra.com/wiki/Zimbra_Security_Advisoriesmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060