CVE-2019-9670
Published: 29 May 2019
Summary
CVE-2019-9670 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an XML External Entity injection (XXE) flaw, tracked as CWE-611, affecting the mailboxd component in Synacor Zimbra Collaboration Suite versions 8.7.x prior to 8.7.11p10. It is demonstrated through the Autodiscover/Autodiscover.xml endpoint and carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can supply malicious XML to the Autodiscover servlet, enabling arbitrary file disclosure, server-side request forgery, or further code execution on the affected server. Public exploit code and a Metasploit module have been published that chain the XXE into remote command execution.
Zimbra security advisories and the associated bug report direct administrators to upgrade to version 8.7.11p10 or later; the SANS Internet Storm Center diary also references the vendor patch as the primary remediation.
Public exploit modules and detailed technical write-ups appeared shortly after disclosure, confirming that the issue is readily exploitable in default installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19036
Vulnerability details
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the malicious XML supplied to Autodiscover.xml by enforcing validation that rejects external entity declarations (CWE-611).
Requires prompt application of the vendor patch (8.7.11p10+) that eliminates the XXE flaw in mailboxd.
Boundary-protection rules can restrict unauthenticated network access to the Autodiscover servlet, reducing the attack surface before malicious XML is processed.