
Zimbra Webmail RCE: Archive Exploit to Mailbox Theft
A law firm Zimbra Collaboration server was compromised through a path traversal flaw in the cpio helper invoked during inbound email scanning (CVE-2022-41352). A crafted archive delivered over SMTP caused cpio to drop a JSP webshell directly into the Zimbra web root, giving the actor persistent server-side execution. They then used Zimbra's own CLI tooling to export targeted attorney mailboxes and exfiltrate the data. Reconstruct the chain from the mail delivery through the webshell activity to the data leaving the network.
Launches in 5 days
Tuesday, July 14, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
7 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever