Login Sign Up

CVE-2022-48021

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability in Zammad v5.3.0 allows attackers to execute arbitrary code or escalate privileges by sending a specially crafted message to the server. All organizations running the affected Zammad version are at risk, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • Zammad
Versions: v5.3.0
Operating Systems: All platforms running Zammad
Default Config Vulnerable: ⚠️ Yes
Notes: Only version 5.3.0 is affected. Earlier and later versions are not vulnerable.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive customer support data, privilege escalation within Zammad, and potential lateral movement to other systems.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal user privileges, and active monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH - Zammad is typically exposed to the internet for customer support portals, making it directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal instances still vulnerable but attack surface reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending a crafted message to the server, suggesting authenticated access may be needed but privilege escalation is possible from lower privilege levels.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.3.1 or later

Vendor Advisory: https://zammad.com/de/advisories/zaa-2022-11

Restart Required: Yes

Instructions:

1. Backup your Zammad instance and database. 2. Update Zammad to version 5.3.1 or later using your deployment method (Docker, package manager, manual). 3. Restart the Zammad service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Zammad instance to trusted IP addresses only

# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT

Disable Message Processing

all

Temporarily disable external message processing if business critical

# Edit Zammad configuration to disable external channels
# Consult Zammad documentation for specific configuration changes

🧯 If You Can't Patch

  • Isolate Zammad instance in a separate network segment with strict firewall rules
  • Implement application-level WAF with RCE protection rules and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Zammad version in admin interface or via command: grep 'version' /path/to/zammad/config/initializers/version.rb

Check Version:

grep "Zammad::Version::STRING" /path/to/zammad/config/initializers/version.rb | cut -d'"' -f2

Verify Fix Applied:

Confirm version is 5.3.1 or later and test message processing functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual message processing errors
  • Suspicious payloads in incoming messages
  • Unexpected process execution from Zammad user

Network Indicators:

  • Unusual outbound connections from Zammad server
  • Large or malformed messages to Zammad endpoints

SIEM Query:

source="zammad" AND (message="*crafted*" OR message="*malformed*" OR error="*execution*")

📊 Metadata

CVE ID: CVE-2022-48021
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON