Cyber Resilience

CVE-2019-9670

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 May 2019

Published
29 May 2019
Modified
04 November 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9440 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-9670 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an XML External Entity injection (XXE) flaw, tracked as CWE-611, affecting the mailboxd component in Synacor Zimbra Collaboration Suite versions 8.7.x prior to 8.7.11p10. It is demonstrated through the Autodiscover/Autodiscover.xml endpoint and carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can supply malicious XML to the Autodiscover servlet, enabling arbitrary file disclosure, server-side request forgery, or further code execution on the affected server. Public exploit code and a Metasploit module have been published that chain the XXE into remote command execution.

Zimbra security advisories and the associated bug report direct administrators to upgrade to version 8.7.11p10 or later; the SANS Internet Storm Center diary also references the vendor patch as the primary remediation.

Public exploit modules and detailed technical write-ups appeared shortly after disclosure, confirming that the issue is readily exploitable in default installations.

EU & UK References

Vulnerability details

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.7.11 · 8.7.0 — 8.7.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the malicious XML supplied to Autodiscover.xml by enforcing validation that rejects external entity declarations (CWE-611).

prevent

Requires prompt application of the vendor patch (8.7.11p10+) that eliminates the XXE flaw in mailboxd.

prevent

Boundary-protection rules can restrict unauthenticated network access to the Autodiscover servlet, reducing the attack surface before malicious XML is processed.

References