CISA Warns of Zimbra Collaboration Suite (ZCS) Vulnerability Exploited in Attacks
The vulnerability, tracked as CVE-2019-9621, poses significant risks to organizations using the popular email and collaboration platform.
Key Takeaways
- CISA alerts on an SSRF flaw (CVE-2019-9621) in Zimbra ZCS, actively exploited by attackers.
- Flaw allows unauthorized access to sensitive internal or cloud data via ProxyServlet.
- Urgent fixes or product discontinuation required by July 28, 2025.
- Follow Zimbra advisories and CISA guidance to protect systems.
Vulnerability Details
The vulnerability centers on a Server-Side Request Forgery (SSRF) flaw within the ProxyServlet component of Zimbra Collaboration Suite (ZCS). This weakness allows attackers to trick the server into making unauthorized requests to internal or external systems—potentially exposing sensitive data and compromising network security.
It is classified under CWE-918 (SSRF) and CWE-807 (Untrusted Input in Security Decision), highlighting serious trust boundary violations.
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 7, 2025, based on credible exploitation evidence in the wild.
Attack Surface
Through SSRF, attackers can craft requests that bypass security controls and access internal services. This can lead to:
- Internal network scanning
- Access to metadata services (especially risky in cloud setups)
- Exposure of authentication tokens or backend configurations
Risk Summary
| Risk Factor | Details |
|---|---|
| Affected Products | Synacor Zimbra Collaboration Suite (ZCS) |
| Impact | Server-Side Request Forgery (SSRF) |
| Exploit Prerequisites | Attacker must be able to send crafted requests to ZCS ProxyServlet |
| CVSS 3.1 Score | 6.1 (Medium) |
Mitigation Steps
- CISA requires mitigation or discontinuation of affected systems by July 28, 2025.
- Apply vendor-provided patches or mitigations immediately.
- Follow guidance in BOD 22-01 for securing cloud services.
- If mitigation isn't feasible, discontinue use of the product.
- Monitor Zimbra advisories and NVD (National Vulnerability Database).
Organizations must prioritize immediate assessment and remediation efforts to prevent potential compromise from this actively exploited vulnerability.