Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

What the Vuln: Zimbra

Watch the inaugural episode of our What the Vuln livestream series as we examine Zimbra Zip Path Traversal vulnerabilities, CVE-2022-27925 and CVE-2022-37042.

Imagine that your organization’s web-based communication platform is vulnerable to hackers...can this give them access to sensitive information? And is this an entry point that can be used to conduct more damaging exploitation operations in the long run? If the answer is yes (and it likely is), watch as we explore path traversal vulnerabilities in Zimbra, a web-based email, calendar, and collaboration suite in action since 2005.

In this inaugural episode of our What the Vuln series, Carlos Yanez, Security Consultant III zeros-in on CVE-2022-37042 and CVE-2022-27925, exploring the perils of remote code execution on web-based communications technology. We deep dive into Zimbra Zip Path Traversal vulnerability and hear about unique exploit development techniques from start to finish.

Watch the first-ever What the Vuln livestream episode to hear from our security expert on:  

  • A Zimbra vulnerability discovery overview
  • A step-by-step demo of the exploit development in action
  • How to apply exploitation techniques to other vulnerabilities

Headshot BF Carlos Yanez

About the author, Carlos Yanez

Carlos Yanez (CISSP, OSWE, OSCP, GWAPT, CNVP) is a Senior Security Consultant at Bishop Fox. His focus areas include web application assessments, cloud penetration tests, as well as mobile devices penetration tests. Prior to joining Bishop Fox, he worked on multiple e-commerce platforms as a Penetration Tester and spent years as a Web Developer and Systems Administrator. When AFK, he enjoys spending time with family and friends as well as learning new things and playing guitar.

More by Carlos

Dan Petro Headshot

About the author, Dan Petro

Senior Security Engineer

As a senior security engineer for the Bishop Fox Capability Development team, Dan builds hacker tools, focusing on attack surface discovery. Dan has extensive experience with application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. He has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.

More by Dan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.