What the Vuln: Zimbra

Watch the inaugural episode of our What the Vuln livestream series as we examine Zimbra Zip Path Traversal vulnerabilities, CVE-2022-27925 and CVE-2022-37042.

Imagine that your organization’s web-based communication platform is vulnerable to hackers...can this give them access to sensitive information? And is this an entry point that can be used to conduct more damaging exploitation operations in the long run? If the answer is yes (and it likely is), watch as we explore path traversal vulnerabilities in Zimbra, a web-based email, calendar, and collaboration suite in action since 2005.

In this inaugural episode of our What the Vuln series, Carlos Yanez, Security Consultant III zeros-in on CVE-2022-37042 and CVE-2022-27925, exploring the perils of remote code execution on web-based communications technology. We deep dive into Zimbra Zip Path Traversal vulnerability and hear about unique exploit development techniques from start to finish.

Watch the first-ever What the Vuln livestream episode to hear from our security expert on:  

  • A Zimbra vulnerability discovery overview
  • A step-by-step demo of the exploit development in action
  • How to apply exploitation techniques to other vulnerabilities
Headshot BF Carlos Yanez

About the author, Carlos Yanez

Carlos Yanez (CISSP, OSWE, OSCP, GWAPT, CNVP) is a Senior Security Consultant at Bishop Fox. His focus areas include web application assessments, cloud penetration tests, as well as mobile devices penetration tests. Prior to joining Bishop Fox, he worked on multiple e-commerce platforms as a Penetration Tester and spent years as a Web Developer and Systems Administrator. When AFK, he enjoys spending time with family and friends as well as learning new things and playing guitar.

More by Carlos
Dan Petro Headshot

About the author, Dan Petro

Senior Security Engineer

As a senior security engineer for the Bishop Fox Capability Development team, Dan builds hacker tools, focusing on attack surface discovery. Dan has extensive experience with application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. He has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.

More by Dan

Extend Your Knowledge

Check out these related resources.

Black background with purple and teal neon letters title: What the Vuln, EDR BYPAS W. LOLBINS.
Livestream

What the Vuln: EDR Bypass with LoLBins

Watch the second episode of our What the Vuln livestream series as we explore how to bypass endpoint detection and response (EDR) with native Windows binaries to gain advanced post-exploitation control.

Learn More
What The Vuln Zimbra episode on CVE-202227925 & CVE 2022-37042 with headshot of speaker.
Tech

Feb 21, 2023

What the Vuln: Zimbra

By Carlos Yanez

Tool Talk Episode 9 webcast title in neon letters on dark background with Matt Keeley and Joe Sechman headshots presenting the security tool Spoofy.
Webcast

Tool Talk: Spoofy

Watch to explore Spoofy, a domain spoofing tool that checks whether a list of domains (in bulk) can be spoofed based on SPF and DMARC records.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.