OpenSSF Community Day India 2025

Email remains a mission-critical service in both government and private sectors, and Zimbra—one of the most widely used open-source mail platforms—exposes real-world security challenges in open infrastructure.

This talk explores several critical vulnerabilities discovered in Zimbra, including a pre-auth RCE via SMTP command handling, an SSRF that enables remote shell access through internal proxy chaining, and a 2FA bypass that weakens authentication. These reflect systemic issues in open-source security at scale.

I’ll also introduce the Kobold Letter attack—an effective email parsing exploit that bypasses UI logic in Zimbra, Gmail, and Outlook using invisible formatting to aid phishing. This points to the urgent need for better mail parsing standards.

The session will blend offensive insights with defense: how these flaws were disclosed, mitigated, and what OSS maintainers can do to secure their stacks earlier. It’s ideal for red teamers, defenders, and those securing collaborative infrastructure.