How does the exploitation chain SSRF and memcached to achieve code execution?

The attack uses the SSRF vulnerability (CVE-2019-9621) to send HTTP requests to internal services, specifically to the local memcached daemon on port 11211. Through the SSRF, the attacker sets a crafted memcached key containing a serialized payload generated by ysoserial (using the `MozillaRhino2` gadget). When a victim user logs in via IMAP and accesses their inbox, Zimbra deserializes the cached object, triggering execution of arbitrary commands. This chain is fully documented in the Zimbra Deserialization Vulnerability (CVE-2019-6980) Exploitation Test.