Authentication Bypass in MailboxImportServlet vulnerability

Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26 contain an important security update that fixes an authentication bypass in MailboxImportServlet (CVE-2022-37042 and CVE-2022-27925).

If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible.

More information about the specific patch can be found at:

You can also check our security center page for the updates on vulnerabilities and its corresponding fixes:

6 Responses to Authentication Bypass in MailboxImportServlet vulnerability

  1. Ivan August 12, 2022 at 9:50 AM #


    I quick question, for those of us that had 8.8.15 P31 installed (fixed the original CVE-2022-27925 categorized as Medium), are we safe from this security issue or we also need to patch as soon as possible?

    • Barry de Graaff August 16, 2022 at 12:01 AM #

      Please update to the latest patch to apply all security fixes, thanks!

  2. Geert Hendrickx August 13, 2022 at 12:56 AM #

    One should wonder why most of the /opt/zimbra tree is owned – and thus writable – by the zimbra user by default.

    If /opt/zimbra/jetty/webapps/zimbra/public (and the files in it) were owned by root, the impact of this exploit would have been much less, as an attacker then couldn’t write any files that he can execute remotely.

    As a best practice, only logs, databases, and other runtime data (like jetty workdir) should be owned by the service user, and everything else, in particular executables, owned by root.

    Can Zimbra please reconsider this ?

    • Barry de Graaff August 16, 2022 at 12:11 AM #

      Thanks for the feedback, I agree we should consider this, and I have filed your request via ticket ZBUG-2975.

  3. Marcelo Gomes August 19, 2022 at 9:45 AM #


    After applying this patch, older versions of Outlook (2010 and earlier), stopped authenticating via POP3 SSL and IMAP SSL

    Is there any alternative?

    • Barry de Graaff August 22, 2022 at 1:53 AM #

      Hello Marcelo,

      This is probably due to the update of Java to version 17, where some out-of-date TLS algorithms have been disabled. Please open a support case to find out what can be done to enable legacy client support.

      Thanks, Barry

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures