What happened

CISA added CVE-2020-7796 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-17, signaling confirmed in-the-wild exploitation (CISA due date 2026-03-10) CISA KEV. The entry attributes the flaw to Synacor Zimbra Collaboration Suite (ZCS) and describes a server-side request forgery (SSRF) condition if the WebEx zimlet is installed and the zimlet’s JSP is enabled CISA KEV. The CVE is tracked as CVE-2020-7796 with CWE-918 classification, confirming the SSRF nature of the issue NVD entry.

ZCS is explicitly identified as the affected product under the Synacor vendor project in the CVE record, which aligns the impact scope to Zimbra’s collaboration stack MITRE CVE record. CISA’s required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV.

Why it matters

An SSRF on a mail/collaboration server is high leverage: it coerces the server to initiate outbound requests under its own network position and credentials, a typical effect of CWE-918 issues NVD entry. Because CISA only lists vulnerabilities with observed exploitation, prioritization is warranted for environments running ZCS with the WebEx zimlet/JSP condition present CISA KEV. The combination—email infrastructure plus an SSRF primitive—can enable adversary reach into services that trust the ZCS host or expose metadata internally, depending on deployment specifics NVD entry.

The KEV designation compresses decision time: agencies and enterprises that map their backlog to KEV should treat this as an immediate action item, not a “patch-when-convenient” task CISA KEV. The CVE’s linkage to SSRF (CWE-918) is the key risk marker here; SSRF impact is environment-dependent but frequently bypasses perimeter controls by leveraging trusted server egress NVD entry.

Technical detail

CVE-2020-7796 is an SSRF condition in Zimbra Collaboration Suite that manifests when the optional WebEx zimlet is installed and its JSP-based component is enabled—this feature gate defines the vulnerable surface per the KEV description CISA KEV. The CVE is categorized under CWE-918, which denotes flaws allowing an attacker to cause the server to make unintended requests to arbitrary URIs, potentially accessing resources not directly exposed to the attacker NVD entry.

The affected vendor/project and product naming are confirmed in the authoritative CVE record as Synacor Zimbra Collaboration Suite, tying the vulnerability to the ZCS platform specifically MITRE CVE record. Given the SSRF class, exploitation typically involves manipulating a server-side component to fetch attacker-chosen URLs; the WebEx zimlet’s JSP component is the relevant attack surface under the KEV-stated conditions CISA KEV. As with similar SSRF classes, precise impact vectors will vary by network egress policy and internal service exposure, but the CWE-918 mapping frames the core behavior reliably NVD entry.

Notably, the KEV listing date of 2026-02-17 and enforcement due date of 2026-03-10 establish operational timelines for remediation, consistent with CISA’s KEV program practice for actively exploited vulnerabilities CISA KEV.

Defense

CISA directs defenders to apply mitigations per the vendor, follow applicable BOD 22-01 guidance for cloud services, or discontinue the product if mitigations are unavailable CISA KEV. Translating the KEV short description into immediate triage steps:

• Identify ZCS instances where the WebEx zimlet is installed and the zimlet’s JSP is enabled; these hosts meet the KEV-defined vulnerable preconditions CISA KEV.
• If business permits, remove the WebEx zimlet or disable the zimlet JSP to collapse the attack surface implied by the KEV conditions while permanent fixes are applied CISA KEV.
• Apply the vendor’s mitigation or update paths as they become available; this aligns with the KEV “required action” directive for CVE-2020-7796 CISA KEV.

Because SSRF relies on server-initiated egress, consider tightening outbound request policies for ZCS hosts to restrict arbitrary URL fetches where operationally feasible; this reduces the practical blast radius of CWE-918 issues NVD entry. Maintain an incident-response plan keyed to the KEV due date, given the in-the-wild exploitation signal and CISA’s remediation timeline CISA KEV.

Lyrie Verdict

SSRF on a collaboration server is exactly the kind of foothold autonomous adversaries exploit to chain reconnaissance and lateral access without waiting for human operators—KEV status means they already are CISA KEV. Lyrie’s position: instrument ZCS edges for autonomous, machine-speed detection of server-initiated anomalies tied to CWE-918 behaviors—unexpected outbound fetches, internal-only URI touches, and rapid, patterned URL probes originating from mail infrastructure (behavioral anchors from the SSRF class) NVD entry. We bind these detections to KEV-aware prioritization, auto-escalating any SSRF-like sequences on Zimbra hosts with the WebEx zimlet/JSP condition present to ensure response runs at machine speed, not analyst speed CISA KEV.