XXE in Synacor Zimbra Collaboration Suite mailboxd Autodiscover
CVE-2019-9670 is an XML External Entity (XXE) injection vulnerability in the mailboxd component of Synacor Zimbra Collaboration Suite (ZCS) 8.7.x before 8.7.11p10. The issue is exposed via the Autodiscover endpoint, as demonstrated by requests to Autodiscover/Autodiscover.xml. A vulnerable server improperly restricts XML external entity references during XML parsing, allowing attacker-supplied XML to be processed with external entities enabled.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a Python exploit script (zimbra.py) targeting Zimbra Collaboration Suite versions <= 8.7.0 and 8.7.11, exploiting CVE-2019-9670. The exploit leverages an XXE vulnerability in the Autodiscover servlet to extract low-privilege credentials, then uses SSRF via the ProxyServlet to escalate to admin privileges. With the admin token, it uploads an arbitrary file (such as a web shell) to the server, enabling remote code execution. The script requires the attacker to provide a target URL, a DTD file URL (for the XXE payload), a payload file, and a name for the uploaded file. The main code file is zimbra.py, which implements the full exploit chain. The README provides usage instructions and context. No framework is used; this is a standalone operational exploit.
This repository contains a Python exploit script (zimbra.py) targeting Zimbra Collaboration Suite versions <= 8.7.0 and 8.7.11, exploiting CVE-2019-9670. The exploit leverages an XXE vulnerability in the Autodiscover servlet to extract low-privilege credentials, then uses SSRF via the ProxyServlet to escalate privileges and obtain an admin token. With this token, it uploads an attacker-supplied file (such as a web shell) to the server using the clientUploader endpoint. The exploit is operational and requires the attacker to provide a DTD payload hosted at a reachable URL, the target Zimbra instance URL, and a file to upload. The README provides usage instructions and argument details. The main code is in zimbra.py, with LICENSE and README.md as supporting files. The exploit is not part of a framework and is a standalone operational exploit for remote code execution on vulnerable Zimbra servers.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An XXE-related vulnerability in Synacor Zimbra Collaboration Suite that the content states APT29 exploited.
A specific vulnerability (CVE-2019-9670) associated with exploitation or targeting by the Cozy Bear (APT29) threat actor.
A specific vulnerability (CVE-2019-9670) associated with exploitation or targeting by the Cozy Bear (APT29) threat actor.
A known Zimbra vulnerability exploited by Earth Lusca to gain access to public-facing servers.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.