Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

XXE in Synacor Zimbra Collaboration Suite mailboxd Autodiscover

IdentifiersCVE-2019-9670CWE-611· Improper Restriction of XML…

CVE-2019-9670 is an XML External Entity (XXE) injection vulnerability in the mailboxd component of Synacor Zimbra Collaboration Suite (ZCS) 8.7.x before 8.7.11p10. The issue is exposed via XML processing in the Autodiscover endpoint, as demonstrated by requests to Autodiscover/Autodiscover.xml. Improper restriction of external entity references allows attacker-supplied XML to be parsed with external entities enabled, which can cause the server to resolve attacker-controlled or local external resources during request processing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an unauthenticated remote attacker to abuse the vulnerable XML parser to read local files, trigger server-side requests to internal or external resources, and potentially leverage the condition toward arbitrary remote code execution, as reflected in the provided context. At minimum, the flaw can expose sensitive information from the Zimbra server and adjacent internal services; in operational use it has been cited as a high-severity initial access vector.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable exposure of the Autodiscover/Autodiscover.xml endpoint from untrusted networks, place the service behind access controls or reverse-proxy filtering, and inspect/block malicious XML containing DOCTYPE declarations or external entity definitions. Limit outbound connectivity from the Zimbra server to reduce SSRF-style abuse, and monitor mailboxd and web access logs for suspicious Autodiscover requests containing crafted XML payloads.

Remediation

Patch, then assume compromise.

Upgrade Synacor Zimbra Collaboration Suite to 8.7.11 patch 10 or later. Apply the vendor-provided fix for mailboxd XML parsing in the Autodiscover functionality. If the environment is still running affected 8.7.x builds prior to 8.7.11p10, prioritize patching because the vulnerability is known exploited in the wild.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app
Zimbra-RCEMaturityPoCVerified exploit

This repository contains a Python exploit script (zimbra.py) targeting Zimbra Collaboration Suite versions <= 8.7.0 and 8.7.11, exploiting CVE-2019-9670. The exploit leverages an XXE vulnerability in the Autodiscover servlet to extract low-privilege credentials, then uses SSRF via the ProxyServlet to escalate to admin privileges. With the admin token, it uploads an arbitrary file (such as a web shell) to the server, enabling remote code execution. The script requires the attacker to provide a target URL, a DTD file URL (for the XXE payload), a payload file, and a name for the uploaded file. The main code file is zimbra.py, which implements the full exploit chain. The README provides usage instructions and context. No framework is used; this is a standalone operational exploit.

attackgithubDisclosed Aug 16, 2019pythonnetwork
Zimbra-RCEMaturityPoCVerified exploit

This repository contains a Python exploit script (zimbra.py) targeting Zimbra Collaboration Suite versions <= 8.7.0 and 8.7.11, exploiting CVE-2019-9670. The exploit leverages an XXE vulnerability in the Autodiscover servlet to extract low-privilege credentials, then uses SSRF via the ProxyServlet to escalate privileges and obtain an admin token. With this token, it uploads an attacker-supplied file (such as a web shell) to the server using the clientUploader endpoint. The exploit is operational and requires the attacker to provide a DTD payload hosted at a reachable URL, the target Zimbra instance URL, and a file to upload. The README provides usage instructions and argument details. The main code is in zimbra.py, with LICENSE and README.md as supporting files. The exploit is not part of a framework and is a standalone operational exploit for remote code execution on vulnerable Zimbra servers.

rek7Disclosed Aug 16, 2019pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ZimbraZimbra Collaboration Suiteapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cyble blogNews
Feb 20, 2025
Threat Actor Profile: APT29 - Cyble

An XXE-related vulnerability in Synacor Zimbra Collaboration Suite that the content states APT29 exploited.

Read more
vulncheck blogNews
Feb 15, 2024
Reimagining How We Think About Threat Actors

A specific vulnerability (CVE-2019-9670) associated with exploitation or targeting by the Cozy Bear (APT29) threat actor.

Read more
vulncheck blogNews
Feb 15, 2024
Reimagining How We Think About Threat Actors

A specific vulnerability (CVE-2019-9670) associated with exploitation or targeting by the Cozy Bear (APT29) threat actor.

Read more
mitre attack websiteNews
Feb 1, 2022
APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard, Group G0016 | MITRE ATT&CK®

A vulnerability in Zimbra software that APT29 exploited to gain access.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2019-9670
NVD
nvd.nist.gov/vuln/detail/CVE-2019-9670
MITRE CWE · CWE-611
Improper Restriction of XML External Entity…
Vendor Advisory
wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Third Party Advisory
packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
Third Party Advisory
rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
Third Party Advisory
isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570
Third Party Advisory
exploit-db.com/exploits/46693
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670