title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
id: dd218fb6-4d02-42dc-85f0-a0a376072efd
status: experimental
description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
references:
    - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
    - https://www.yang99.top/index.php/archives/82/
    - https://github.com/vnhacker1337/CVE-2022-27925-PoC
author: '@gott_cyber'
date: 2022/08/17
modified: 2023/01/02
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2022.27925
logsource:
    category: webserver
detection:
    selection_servlet:
        cs-method: 'POST'
        cs-uri-query|contains: '/service/extension/backup/mboximport\?'
        cs-uri-query|contains|all:
            - 'account-name'
            - 'ow'
            - 'no-switch'
            - 'append'
        sc-status:
            - 401
            - 200
    selection_shell:
        cs-uri-query|contains: '/zimbraAdmin/'
        cs-uri-query|endswith: '.jsp'
        sc-status|contains: '200'
    condition: selection_servlet or selection_shell
falsepositives:
    - Unknown
level: medium