Once RCE is achieved:
Chaining with CVE-2020-27995 (Auth Bypass):
Researchers discovered that CVE-2020-27996 is particularly dangerous when combined with CVE-2020-27995 – an authentication bypass in Zimbra’s ProxyServlet. That flaw allowed an unauthenticated attacker to access any user’s mailbox folder directly, including the Calendar or Briefcase. Chaining them gives:
Immediate actions (for administrators):
Disable unused services:
If CalDAV or ProxyServlet are not required, disable them via zmprov:
zmprov mcf zimbraReverseProxyAdminEnabled FALSE
zmprov mcf zimbraCalDAVEnabled FALSE
WAF rules:
Block URL patterns containing /service/home/~/*?*fmt=* and any parameter with <script, javascript:, onerror=, etc. cve20207796 zimbra collaboration suite full
The core issue is tied to the handling of RAR archives. Historically, the unrar binary used by Zimbra was a statically linked binary maintained by the vendor or relied upon from upstream repositories that were outdated. The vulnerability allows the attacker to escape the constraints of the scanning process and execute commands as the zimbra user, and subsequently escalate privileges to root due to default configuration permissions.
To understand CVE-2020-27996, one must first understand how Zimbra handles proxy requests and session management. Once RCE is achieved:
The phrase “CVE-2020-27996 Zimbra Collaboration Suite Full” often appears in exploit databases and security write-ups to indicate full chain exploitation — meaning the XSS alone is not the final goal; it is used as a stepping stone for:
This vulnerability contributed to multiple mass exploitation campaigns in late 2020 and early 2021, where attackers (including state-sponsored groups) targeted on-premise Zimbra instances in government, finance, and healthcare sectors. Immediate actions (for administrators):