PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-3405 Synacor CVE debrief

CVE-2016-3405 covers multiple unspecified vulnerabilities in Zimbra Collaboration before 8.7.0, also referenced as bugs 103961 and 104828. NVD rates the issue as high severity with a network-reachable attack path, no privileges, no user interaction, and high integrity impact. The practical defensive takeaway is straightforward: systems running Zimbra Collaboration Suite 8.6.0 and earlier should be treated as affected and upgraded to 8.7.0 or later based on the vendor release notes and security advisories.

Vendor
Synacor
Product
CVE-2016-3405
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Zimbra Collaboration Suite installations, especially instances running version 8.6.0 or earlier.

Technical summary

The NVD record maps the vulnerability to Synacor Zimbra Collaboration Suite versions up to and including 8.6.0. The reported CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a remotely reachable issue with no authentication or user interaction required and a primary integrity impact. NVD does not provide a more specific CWE beyond NVD-CWE-noinfo, so the exact underlying flaw type is unspecified in the public record. Vendor references point to Zimbra 8.7.0 release notes and Zimbra security advisories as the relevant remediation sources.

Defensive priority

High. The issue is remotely reachable, requires no authentication, and can impact integrity, so exposed or internet-facing Zimbra deployments should be prioritized for upgrade and validation.

Recommended defensive actions

  • Identify all Zimbra Collaboration Suite instances and confirm whether any are running version 8.6.0 or earlier.
  • Upgrade affected systems to Zimbra 8.7.0 or later using the vendor release notes and security advisories as guidance.
  • Verify that the upgrade completed successfully and that the instance now reports a fixed version.
  • Review exposed Zimbra services for unexpected integrity changes or configuration drift around the time the vulnerable version was in use.
  • Track the vendor advisory and release notes for any additional remediation steps or related fixes.

Evidence notes

This debrief is based on the official NVD record and the linked vendor references. The NVD CPE criteria marks cpe:2.3:a:synacor:zimbra_collaboration_suite as vulnerable through version 8.6.0. The CVSS vector in the NVD metadata is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The record also cites Zimbra Release Notes 8.7.0 and Zimbra Security Advisories, which support the remediation recommendation to move to 8.7.0 or later. No KEV listing is present in the supplied data.

Official resources

CVE-2016-3405 was published on 2017-01-18 and the supplied source record was last modified on 2026-05-13. The record is not marked as a KEV item in the provided data.