Cyber Resilience

CVE-2022-41352

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 September 2022

Published
26 September 2022
Modified
03 November 2025
KEV Added
20 October 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9396 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41352 is a critical-severity Path Traversal (CWE-22) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-41352 is a path traversal vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 that stems from insufficient validation in the amavis component when handling archive extraction via cpio. An attacker can upload arbitrary files that are written to the publicly accessible directory /opt/zimbra/jetty/webapps/zimbra/public, enabling unauthorized access to other user accounts. The flaw is tracked under CWE-22 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the issue by sending a crafted archive through amavis; successful exploitation grants full read/write access to mailbox data and configuration files belonging to any account on the server. Because the vector requires no credentials or user interaction, the attack can be launched directly over the network.

Zimbra security advisories and the vendor wiki recommend replacing cpio with pax for archive handling; pax is listed among Ubuntu prerequisites and is automatically preferred by amavis once installed. On Red Hat and CentOS systems after version 6, administrators must explicitly install pax because it is no longer present in default installations.

Public references, including Packet Storm and SecPod reporting, document active in-the-wild exploitation of the unpatched flaw, and the associated EPSS score has remained above 0.93 with a recorded peak of 0.97, indicating sustained attacker interest after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax…

more

over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

CWE(s)
KEV Date Added
20 October 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.8.15, 9.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the cpio-based path traversal by validating untrusted archive contents before extraction into the web root.

prevent

Enforces replacement of cpio with pax (already a documented prerequisite on Ubuntu) so amavis never uses the vulnerable extractor.

prevent

Requires prompt installation of pax and any Zimbra patches that eliminate the cpio extraction path for this CVE.

References