Unless you're doing something silly, like exposing the httpd ports (7780 and 7047, for convertd and aspell) publicly, this should affect about 0% of of zimbra installs. :) The only thing mod_php is used for is the spell check feature in ZWC.
Tony
From: "Pablo E Garaitonandia" <peg11@psu.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Tuesday, September 6, 2016 1:37:13 PM
Subject: CVE's concerning mod_php on 8.7.0
Folks,
8.7.0 has some critical CVE's in regards to the php module installed. I have included all the info we found on a scan in this bug. Please vote if interested.
https://bugzilla.zimbra.com/show_bug.cgi?id=106580
Regards,
Pablo Garaitonandia
Penn State University