Cyber Resilience

CVE-2020-7796

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 18 February 2020

Published
18 February 2020
Modified
18 February 2026
KEV Added
17 February 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9330 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-7796 is a critical-severity SSRF (CWE-918) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Zimbra Collaboration Suite (ZCS) versions prior to 8.8.15 Patch 7 are affected by a server-side request forgery vulnerability (CWE-918) that manifests when the WebEx zimlet is installed and zimlet JSP functionality is enabled. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors with low complexity and no required privileges or user interaction.

An unauthenticated remote attacker can supply crafted requests that cause the ZCS server to initiate arbitrary outbound connections, potentially reaching internal resources, exfiltrating data, or performing actions on the attacker’s behalf with the server’s privileges. Successful exploitation can result in full compromise of confidentiality, integrity, and availability of the affected system.

The official Zimbra 8.8.15 Patch 7 release notes document the fix for this issue. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, indicating confirmed in-the-wild exploitation.

EU & UK References

Vulnerability details

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

CWE(s)
KEV Date Added
17 February 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.8.15 · ≤ 8.8.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted inputs that trigger the SSRF by enforcing validation of all server-side request parameters before any outbound connection is initiated.

prevent

Enforces explicit information-flow policies that would deny the unauthorized outbound requests the ZCS server is tricked into making to internal or external targets.

prevent

Boundary-protection rules can restrict the ZCS server's ability to initiate arbitrary outbound connections, limiting the SSRF impact even if input validation fails.

References