Cve20207796 — Zimbra Collaboration Suite Full //top\\

Malicious requests can extract highly sensitive infrastructure information, local configuration files, or administrative credentials stored within internal endpoints.

When an unsuspecting user views the file list in their Zimbra Drive, the browser interprets the filename as executable code.

A Zimlet is an add-on component used to extend Zimbra’s core capabilities. When processing requests via the WebEx Zimlet component, the software fails to sanitize and validate user-supplied URLs. An attacker can pass a custom internal URL string into a component property, forcing the backend Zimbra server to act as an open proxy. Attack Vector and Exploitation Mechanics

: An attacker does not need a username or password to exploit this flaw; it can be triggered remotely by anyone with access to the server’s web interface. High Severity : With a CVSS score often rated as 9.8 (Critical) cve20207796 zimbra collaboration suite full

Quick Info * NVD Published Date: 02/18/2020. * NVD Last Modified: 02/18/2026. * Source: MITRE. National Institute of Standards and Technology (.gov) Zimbra Collaboration Suite SSRF (CVE-2020-7796) - Acunetix

The core of this vulnerability lies in the WebEx zimlet, a plugin that integrates WebEx meeting functionality into the Zimbra web client. If a user-supplied URL is passed through the vulnerable component without proper sanitization, the server processes it.

Detection & indicators

: A remote, unauthenticated attacker can send specially crafted HTTP requests to the server. This allows them to:

As of early 2026, this vulnerability has seen a major resurgence in active exploitation:

Because an SSRF vulnerability effectively converts a highly trusted perimeter mail server into a malicious pivoting proxy, the cascading operational impacts are severe. When processing requests via the WebEx Zimlet component,

The flaw is active when the WebEx zimlet is installed and its associated JSP (Jakarta Server Pages) functionality is enabled.

An unauthenticated attacker sends a tailored HTTP POST or GET request containing a target URL pointing to an internal resource (e.g., http://127.0.0 or cloud metadata endpoints like http://169.254.169 ). The Zimbra server implicitly trusts its internal framework, executes the request on behalf of the attacker, and forwards the response back to the malicious source. Potential Impact on the Enterprise

: In March 2025, researchers observed a coordinated surge where approximately 400 IP addresses targeted this flaw across several countries, including the U.S., Germany, and Japan. High Severity : With a CVSS score often rated as 9