Skip to main content
Zimbra Webmail RCE: Archive Exploit to Mailbox Theft operation cover
COMING SOONIntermediatePRO

Zimbra Webmail RCE: Archive Exploit to Mailbox Theft

A law firm Zimbra Collaboration server was compromised through a path traversal flaw in the cpio helper invoked during inbound email scanning (CVE-2022-41352). A crafted archive delivered over SMTP caused cpio to drop a JSP webshell directly into the Zimbra web root, giving the actor persistent server-side execution. They then used Zimbra's own CLI tooling to export targeted attorney mailboxes and exfiltrate the data. Reconstruct the chain from the mail delivery through the webshell activity to the data leaving the network.

45m
7 tasks
50 points
Pro

Launches in 5 days

Jul 14, 2026

Tuesday, July 14, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMFirewallEmail

What you'll investigate

7 objectives unlock when this operation goes live.

1Find the delivery vector
2Trace the exploit path
3Confirm the webshell operator
4Name the data collection technique
5Identify the exfiltration destination
6Classify the initial access technique
7Identify the persistence mechanism

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever