CVE-2019-9621
Published: 30 April 2019
Summary
CVE-2019-9621 is a high-severity SSRF (CWE-918) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 contains a server-side request forgery flaw in the ProxyServlet component, tracked as CVE-2019-9621 and CWE-918. The vulnerability received a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, no required privileges or user interaction, and high confidentiality impact.
An unauthenticated attacker with network access can supply crafted requests to the ProxyServlet to induce the server into making arbitrary outbound connections, potentially disclosing sensitive internal resources or services that are otherwise unreachable.
Public references including the Zimbra advisory at blog.zimbra.com/2019/03/9826/ and multiple exploit disclosures on Packet Storm and Rapid7 explicitly direct administrators to apply the listed patches for remediation, while also documenting related proof-of-concept code for the SSRF vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-18992
Vulnerability details
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
- CWE(s)
- KEV Date Added
- 07 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces rules that restrict the ProxyServlet from initiating arbitrary outbound connections to internal resources.
Requires validation of URL inputs supplied to ProxyServlet to block crafted SSRF requests.
Enforces access restrictions so unauthenticated users cannot invoke ProxyServlet functionality.