What are the prerequisites for exploiting CVE-2019-6980?

Exploitation requires the Zimbra server to be running a vulnerable version (8.7.x to 8.8.11) and the IMAP‑SSL port (993) to be accessible. In the common scenario, an SSRF vulnerability (CVE-2019-9621) is needed to set the `zimbraMemcachedClientServerList` to `127.0.0.1` and then inject the payload into the local memcached service. If SSRF is not present, the attacker must already have plaintext credentials and direct access to memcached port 11211, which is much more restrictive. See the setting up Zimbra vulnerability debugging environment for assistance in reproducing the vulnerability locally.