Key Takeaway
CVE-2020-7796 is an unauthenticated SSRF vulnerability in Synacor Zimbra Collaboration Suite, triggered when the WebEx zimlet is installed and zimlet JSP processing is enabled. Attackers can force the Zimbra server to issue arbitrary internal HTTP requests, enabling access to backend services and cloud metadata endpoints. CISA has added this to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of March 10, 2026.
CVE-2020-7796: Zimbra Collaboration Suite SSRF via WebEx Zimlet
Affected Product: Synacor Zimbra Collaboration Suite (ZCS) — all versions with the WebEx zimlet installed and zimlet JSP execution enabled.
Vulnerability Overview
CVE-2020-7796 is a server-side request forgery (SSRF) vulnerability in Synacor's Zimbra Collaboration Suite. The flaw exists specifically when two conditions are met: the WebEx zimlet is installed, and zimlet JSP (JavaServer Pages) processing is enabled on the server.
An unauthenticated remote attacker can send a crafted HTTP request to the Zimbra server that causes it to issue arbitrary outbound HTTP requests on the attacker's behalf. Because those requests originate from the Zimbra server itself — a trusted host within most enterprise network architectures — they can reach internal services, administrative interfaces, and cloud metadata endpoints that are not directly accessible from the public internet.
Vulnerability type: Server-Side Request Forgery (SSRF) Attack vector: Network Authentication required: None User interaction required: None
SSRF vulnerabilities of this class are particularly damaging in cloud-hosted environments. Attackers can target instance metadata services — such as AWS IMDSv1 at http://169.254.169.254/ — to extract IAM credentials, instance identity documents, and other sensitive configuration data. In on-premises deployments, attackers can pivot from the Zimbra server to internal APIs, administrative dashboards, database management interfaces, and other backend systems that rely on network-layer trust rather than explicit authentication.
Real-World Impact
Zimbra Collaboration Suite is widely deployed across government agencies, healthcare organizations, financial institutions, and enterprises as a full-featured email and collaboration platform. Its attack surface is well-documented, and the platform has been targeted by multiple nation-state actors in prior campaigns, including groups attributed to China, Russia, and Iran.
This specific vulnerability requires no credentials to exploit. An attacker who can reach the Zimbra web interface over HTTPS — standard for any internet-facing deployment — can immediately attempt to abuse the WebEx zimlet's JSP processing to forge internal requests. Organizations that have deployed Zimbra in hybrid or cloud environments face the highest risk of credential theft via metadata service abuse.
CISA has added CVE-2020-7796 to its Known Exploited Vulnerabilities (KEV) catalog and mandates that all federal civilian executive branch (FCEB) agencies remediate this vulnerability by March 10, 2026. Inclusion in the KEV catalog indicates confirmed exploitation activity in the wild, though Synacor and CISA have not publicly attributed specific campaigns to this CVE at this time.
Beyond federal mandates, any organization running Zimbra with the WebEx zimlet enabled should treat this as an active risk requiring immediate action, not a deferred patching item.
Affected Configurations
The vulnerability is only triggered under the following configuration:
- WebEx zimlet is installed on the Zimbra server
- Zimlet JSP execution is enabled (this is not a default-disabled feature in all ZCS versions)
Organizations that have never installed the WebEx zimlet, or that have disabled zimlet JSP processing globally, are not exposed to this specific attack path. Confirm your configuration before assuming you are unaffected.
Patching and Mitigation Guidance
Apply the following mitigations in order of preference:
1. Apply vendor patches Review Synacor's security advisories for available patches addressing CVE-2020-7796. Apply the latest available ZCS release that includes a fix for this vulnerability. Consult the Zimbra security advisory page directly for version-specific guidance.
2. Disable the WebEx zimlet
If your organization does not actively use the Cisco WebEx integration within Zimbra, disable and remove the WebEx zimlet entirely. Run the following as the zimbra user to disable a zimlet:
zmzimletctl undeploy com_zimbra_webex
Verify removal with zmzimletctl listZimlets.
3. Disable zimlet JSP processing If zimlets with JSP execution are not required operationally, disable zimlet JSP support at the server level. Review ZCS administration documentation for your specific version to implement this configuration change safely.
4. Restrict outbound connections from Zimbra servers
Apply egress firewall rules that prevent the Zimbra server from making unsolicited outbound HTTP/HTTPS connections to internal RFC 1918 address ranges and cloud metadata service IPs (e.g., 169.254.169.254, fd00:ec2::254). This limits the blast radius of any SSRF exploitation, including from vulnerabilities not yet publicly known.
5. Audit Zimbra server outbound traffic logs Review proxy and firewall logs for outbound requests originating from Zimbra servers targeting internal subnets or metadata endpoints. Anomalous GET requests to internal management interfaces from the Zimbra host may indicate prior exploitation.
Summary Table
| Attribute | Detail | |---|---| | CVE ID | CVE-2020-7796 | | Vendor | Synacor | | Product | Zimbra Collaboration Suite (ZCS) | | Vulnerability Type | Server-Side Request Forgery (SSRF) | | Attack Vector | Network (unauthenticated) | | Prerequisite | WebEx zimlet installed + JSP enabled | | CISA KEV | Yes — Federal patch deadline: March 10, 2026 | | Primary Risk | Internal network pivot, cloud credential theft |
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.