Cyber Resilience

CVE-2019-9621

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 30 April 2019

Published
30 April 2019
Modified
04 November 2025
KEV Added
07 July 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9411 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-9621 is a high-severity SSRF (CWE-918) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 contains a server-side request forgery flaw in the ProxyServlet component, tracked as CVE-2019-9621 and CWE-918. The vulnerability received a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, no required privileges or user interaction, and high confidentiality impact.

An unauthenticated attacker with network access can supply crafted requests to the ProxyServlet to induce the server into making arbitrary outbound connections, potentially disclosing sensitive internal resources or services that are otherwise unreachable.

Public references including the Zimbra advisory at blog.zimbra.com/2019/03/9826/ and multiple exploit disclosures on Packet Storm and Rapid7 explicitly direct administrators to apply the listed patches for remediation, while also documenting related proof-of-concept code for the SSRF vector.

EU & UK References

Vulnerability details

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

CWE(s)
KEV Date Added
07 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.6.0, 8.7.11, 8.8.10, 8.8.11, 8.8.9 · ≤ 8.6.0 · 8.7.0 — 8.7.11 · 8.8.0 — 8.8.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces rules that restrict the ProxyServlet from initiating arbitrary outbound connections to internal resources.

prevent

Requires validation of URL inputs supplied to ProxyServlet to block crafted SSRF requests.

prevent

Enforces access restrictions so unauthenticated users cannot invoke ProxyServlet functionality.

References