Despite being used in attacks, a serious remote code execution vulnerability that affects the Zimbra Collaboration Suite is still unpatched.
The Cpio method used by the Zimbra antivirus engine (Amavis) when scanning inbound emails is the cause of the problem, which is tracked as CVE-2022-41352 (CVSS score of 9.8). Rapid7 claims that an attacker can take advantage of the flaw by emailing a.cpio,.tar, or.rpm file to a vulnerable server. “Amavis uses cpio to extract the file when it scans it for malware. The attacker can write to any path on the file system that the Zimbra user can access because Cpio lacks a secure mode that allows it to be used on untrusted files, according to Rapid7.
Although CVE-2022-41352 can be used by an attacker to insert a shell into the web root and gain remote code execution, there are probably other exploitation paths available as well.