Synacor Zimbra Collaboration Suite Exploit Attempt - CVE-2019-9670

The Synacor Zimbra Collaboration Suite provides email services for enterprises, among other things. The mailboxd component in Zimbra Collaboration Suite has a vulnerability that allows an attacker to inject an XML external entity (XXE) that interferes with normal XML processing between a client and server. The attacker sends an HTTP POST request with a malicious payload to the /autodiscover endpoint on a Zimbra server. The payload includes an XXE with a URI or path (such as file:///opt/zimbra/conf/localconfig.xml) that targets a file containing Zimbra account credentials [1]. The server sends an HTTP response with a payload containing file content (such as account credentials) from the URI [2]. As a result, the attacker can leverage account credentials to exploit additional vulnerabilities in an attack chain to upload a web shell and run code on the Zimbra server.