CVE-2020-7796
Published: 18 February 2020
Summary
CVE-2020-7796 is a critical-severity SSRF (CWE-918) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Zimbra Collaboration Suite (ZCS) versions prior to 8.8.15 Patch 7 are affected by a server-side request forgery vulnerability (CWE-918) that manifests when the WebEx zimlet is installed and zimlet JSP functionality is enabled. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors with low complexity and no required privileges or user interaction.
An unauthenticated remote attacker can supply crafted requests that cause the ZCS server to initiate arbitrary outbound connections, potentially reaching internal resources, exfiltrating data, or performing actions on the attacker’s behalf with the server’s privileges. Successful exploitation can result in full compromise of confidentiality, integrity, and availability of the affected system.
The official Zimbra 8.8.15 Patch 7 release notes document the fix for this issue. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, indicating confirmed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-28728
Vulnerability details
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
- CWE(s)
- KEV Date Added
- 17 February 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted inputs that trigger the SSRF by enforcing validation of all server-side request parameters before any outbound connection is initiated.
Enforces explicit information-flow policies that would deny the unauthorized outbound requests the ZCS server is tricked into making to internal or external targets.
Boundary-protection rules can restrict the ZCS server's ability to initiate arbitrary outbound connections, limiting the SSRF impact even if input validation fails.