Zimbra has released security fixes for a critical remote code execution (RCE) vulnerability (CVE-2022-41352) in their Zimbra Collaboration Suite (ZCS) products. The RCE vulnerability can be exploited by sending an email with a malicious archive attachment that plants a webshell. This vulnerability is reportedly being actively exploited.
All ZCS instances using cpio, a general file archiver utility, are affected by this vulnerability. The latest ZCS version 9.0.0 P27 replaces the vulnerable component, cpio, with pax, which performs a similar function.
Administrators and users of affected products are advised to upgrade to the latest version immediately.
More information is available here: