Cyber Resilience

CVE-2022-27924

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 21 April 2022

Published
21 April 2022
Modified
31 October 2025
KEV Added
04 August 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.9070 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27924 is a high-severity Injection (CWE-74) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Zimbra Collaboration (ZCS) versions 8.8.15 and 9.0 contain a vulnerability that permits injection of arbitrary memcache commands. The flaw stems from insufficient escaping of these commands, which allows an attacker to overwrite arbitrary entries in the cache and produces a CVSS 3.1 score of 7.5 under CWE-74.

An unauthenticated remote attacker can send crafted requests that reach the memcache layer directly. Successful exploitation results in modification of cached data without any authentication or user interaction, affecting the integrity of the targeted Zimbra instance.

Zimbra has published security advisories and patched releases, including 9.0.0 P24, on its official wiki pages that detail the affected components and available updates. The current EPSS score of 0.9070 with a recorded peak of 0.9195 indicates sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

CWE(s)
KEV Date Added
04 August 2022

Related Threats

Threat-Actor AttributionAI

Cl0p
CISA KEV lists CVE-2022-27924 as ransomware-used; public reporting (Mandiant, Unit 42) attributes mass exploitation of this Zimbra memcache flaw to Cl0p/TA505 campaigns.

Affected Assets

synacor
zimbra collaboration suite
8.8.15, 9.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all input to block unescaped memcache command injection that overwrites cached entries.

prevent

Enforces access-control decisions so that unauthenticated network requests cannot reach or modify the memcache layer.

prevent

Enforces information-flow policies between external requests and internal cache stores, stopping unauthorized command injection.

References