The critical oversight: The servlet endpoint that allows proxying to (like the mailboxd admin port on localhost) did not enforce authentication. Even worse, certain endpoints of the servlet allowed execution of system commands via the Command or Extension functionality.
The fix involved:
However, the most efficient attack bypasses this by directly injecting into the extension parameter of the UserServlet . cve20207796 zimbra collaboration suite full