HighCISA KEVExploited in the wildPublic exploit

SSRF in Zimbra Collaboration Suite ProxyServlet

IdentifiersCVE-2019-9621CWE-918· Server-Side Request Forgery (SSRF)

CVE-2019-9621 is a server-side request forgery vulnerability in the ProxyServlet component of Zimbra Collaboration Suite (ZCS). It affects ZCS before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or before 8.8.11 patch 3. The flaw allows a remote attacker to cause the Zimbra server to initiate arbitrary requests to internal or external resources through ProxyServlet. Public reporting and vendor references identify the issue specifically as SSRF in ProxyServlet; the provided content does not include lower-level implementation details beyond that component attribution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to use the vulnerable Zimbra server as a proxy to reach attacker-chosen internal or external endpoints. The primary impact described in the available sources is confidentiality exposure, including access to sensitive internal resources or data that would not normally be directly reachable by the attacker. The issue may also facilitate further compromise by enabling reconnaissance of internal services and serving as part of a broader exploit chain; reporting in the provided content notes observed exploitation of Zimbra flaws including CVE-2019-9621 to obtain initial access, drop web shells, and support follow-on activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the vulnerable ProxyServlet endpoint as much as operationally feasible, especially from untrusted networks. Apply compensating controls such as reverse-proxy or WAF rules to limit access patterns that can reach ProxyServlet, and constrain the Zimbra server’s outbound connectivity to prevent requests to sensitive internal networks and unnecessary external destinations. Monitor logs for suspicious ProxyServlet access and SSRF-like request patterns, and scan exposed Zimbra instances to confirm exposure and patch status.

Remediation

Patch, then assume compromise.

Upgrade Zimbra Collaboration Suite to a fixed release: 8.6 patch 13 or later, 8.7.11 patch 10 or later for the 8.7.x branch, and 8.8.10 patch 7 or later or 8.8.11 patch 3 or later for the 8.8.x branch, as applicable. After upgrading, verify the deployed version, validate normal mail/proxy functionality, and review vendor security advisories and Bugzilla guidance referenced by Zimbra. Because the vulnerability is listed in CISA KEV with evidence of active exploitation, remediation should be prioritized.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

ZimbraExploitMaturityPoCFrameworkmetasploitVerified exploit

This repository contains two main exploit implementations for CVE-2019-9621 and CVE-2019-9670, targeting Zimbra Collaboration Suite versions 8.5 to 8.7.11 (potentially up to <8.8.11). The exploits leverage an XXE vulnerability in the Autodiscover servlet to extract sensitive configuration (including LDAP credentials), then use those credentials to authenticate and escalate privileges via SSRF to the admin interface. Finally, a JSP webshell is uploaded to the server, granting remote code execution. The repository includes: - Zimbra_Rce.py: A standalone Python script that automates the full exploit chain, from XXE to webshell upload and access. - Zimbra_msf.rb: A Metasploit module implementing the same attack chain, allowing for customizable payloads and integration with the Metasploit framework. - zimbra.dtd: A DTD file used in the XXE attack to extract sensitive configuration files. - README.md: Brief documentation and references. The main attack vector is network-based, requiring access to the Zimbra web interface. The exploit is weaponized, with both standalone and framework-based implementations, and results in remote code execution on the target server. Multiple HTTP endpoints are targeted throughout the attack chain, and the exploit is highly effective against vulnerable Zimbra installations.

k8gegeDisclosed May 6, 2019pythonrubynetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

ZimbraZimbra Collaboration Suiteapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

securityaffairsNews

Jul 8, 2025

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

An SSRF vulnerability in Zimbra Collaboration Suite (ProxyServlet) affecting multiple pre-patch versions, enabling server-side request forgery.

the hacker newsNews

Sep 19, 2023

Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities

A known Zimbra vulnerability exploited by Earth Lusca to gain access to public-facing servers.

circl vulnerability lookupNews

Apr 30, 2019

CVE-2019-9621 (GCVE-0-2019-9621)

A server-side request forgery (SSRF) vulnerability in Zimbra Collaboration Suite (ZCS) ProxyServlet that allows an unauthenticated remote attacker to induce the server to make arbitrary network requests, potentially exposing internal resources/data.

armis early warning alertsNews

Apr 30, 2019

CVE-2019-9621: SSRF vulnerability in Zimbra Collaboration Suite via the ProxyServlet component, affecting several releases prior to the patched versions.

A server-side request forgery (SSRF) vulnerability in the Zimbra ProxyServlet component that allows attackers to make the Zimbra server initiate arbitrary requests to internal or external resources, potentially exposing sensitive data or enabling further compromise.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2019-9621

NVD

nvd.nist.gov/vuln/detail/CVE-2019-9621

MITRE CWE · CWE-918

Server-Side Request Forgery (SSRF)

Vendor Advisory

blog.zimbra.com/2019/03/9826

Vendor Advisory

wiki.zimbra.com/wiki/Security_Center

Vendor Advisory

wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Third Party Advisory

packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html

Third Party Advisory

packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.html

Third Party Advisory

rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce

Third Party Advisory

blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html

Third Party Advisory

exploit-db.com/exploits/46693

Issue Tracking

bugzilla.zimbra.com/show_bug.cgi?id=109127

+1 more reference

view more in app