Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925

**Volexity observed mass exploitation of Zimbra Collaboration Suite where an initially authenticated RCE (CVE-2022-27925) could be leveraged without credentials due to an authentication bypass (CVE-2022-37042), leading to webshell deployments and confirmed compromises of over 1,000 servers worldwide; the report explains the vulnerability mechanics, common webshell indicators, scanning methodology, and remediation steps including patches and forensic actions.**