Authentication Bypass in MailboxImportServlet vulnerability

Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26 contain an important security update that fixes an authentication bypass in MailboxImportServlet (CVE-2022-37042 and CVE-2022-27925).

If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible.

More information about the specific patch can be found at:

You can also check our security center page for the updates on vulnerabilities and its corresponding fixes:

8 Responses to Authentication Bypass in MailboxImportServlet vulnerability

  1. Ivan August 12, 2022 at 9:50 AM #


    I quick question, for those of us that had 8.8.15 P31 installed (fixed the original CVE-2022-27925 categorized as Medium), are we safe from this security issue or we also need to patch as soon as possible?

    • Avatar photo
      Barry de Graaff August 16, 2022 at 12:01 AM #

      Please update to the latest patch to apply all security fixes, thanks!

  2. Geert Hendrickx August 13, 2022 at 12:56 AM #

    One should wonder why most of the /opt/zimbra tree is owned – and thus writable – by the zimbra user by default.

    If /opt/zimbra/jetty/webapps/zimbra/public (and the files in it) were owned by root, the impact of this exploit would have been much less, as an attacker then couldn’t write any files that he can execute remotely.

    As a best practice, only logs, databases, and other runtime data (like jetty workdir) should be owned by the service user, and everything else, in particular executables, owned by root.

    Can Zimbra please reconsider this ?

    • Avatar photo
      Barry de Graaff August 16, 2022 at 12:11 AM #

      Thanks for the feedback, I agree we should consider this, and I have filed your request via ticket ZBUG-2975.

  3. Marcelo Gomes August 19, 2022 at 9:45 AM #


    After applying this patch, older versions of Outlook (2010 and earlier), stopped authenticating via POP3 SSL and IMAP SSL

    Is there any alternative?

    • Avatar photo
      Barry de Graaff August 22, 2022 at 1:53 AM #

      Hello Marcelo,

      This is probably due to the update of Java to version 17, where some out-of-date TLS algorithms have been disabled. Please open a support case to find out what can be done to enable legacy client support.

      Thanks, Barry

  4. Javier Fernández Aller October 24, 2022 at 8:01 AM #

    Hello, I would like to know what is the relation between GA version or build and patch.

    For example, My server is (“NAME” “Zimbra” “VERSION” “8.8.15_GA_4372” “RELEASE” “20220726082327”)

    What patch have in my server? 32? 33? 34?
    Is my server afected by the vulnerability CVE-2022-38465?
    Exist any table or feed to get this informacion?
    Thank you so much.

    • Avatar photo
      Barry de Graaff October 24, 2022 at 11:10 PM #

      To find the current patch level you can run from the command line:

      sudo su zimbra -
      zmcontrol -v

      Example output:

      Release 9.0.0_GA_3924.RHEL7_64_20200331010312 RHEL7_64 NETWORK edition, Patch 9.0.0_P27.

      The entire string before Patch is set when you first ran the installer to install Zimbra OR when you did a major version upgrade (8.x to 9.x for example). So the first part does not change that often.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures