article featured image


Zimbra, also known as the Zimbra Collaboration Suite (ZCS), is an open-source email suite with millions of users and designed for managing enterprise and SMB email and collaboration tools.

However, a zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited, with no patch yet available.

The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails.


Further Details

The issue, identified as CVE-2022-41352, with a CVSS score of 9.8, can be exploited to plant a shell in the software’s root directly, enabling attackers to access a vulnerable system.

As explained by Rapid7, an attacker can exploit the vulnerability by emailing a .cpio, .tar, or .rpm file to an affected server. Amavis would next scan the message for malware and use the cpio file utility to extract its content.

As an example of the amount of damage this issue can potentially cause, once inside an attacker may be able to extract emails, tamper with user accounts, wipe information, or conduct Business Email Compromise (BEC) scams.

According to The Hacker News, several Linux distributions are affected, such as Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. However, Ubuntu users should not have to worry, due to the fact that pax is already installed by default.

Mitigation Provided

Zimbra has acknowledged the vulnerability and says that a fix is being developed, without specifying an exact timeframe for that. In the meantime, users are being urged to install the pax package immediately. The company plans to make pax a requirement with the next Zimbra patch, which should address the issue completely.

If the pax package is not installed, Amavis will fall back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.


If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *