Security advisories

Zimbra Vulnerability Exploited

October 2, 2024 | 2 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

A recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a vulnerability in the postjournal service which can allow unauthenticated users to execute commands. Attackers have been observed adding base64 encoded commands into the CC field of emails, allowing them to execute commands or retrieve files from an attacker-controlled domain. 

According to a post by Proofpoint on October 1st, attackers began exploiting the vulnerability a day after disclosure. On the same day as the public disclosure, Project Discovery released a technical report providing details on the vulnerability, including Proof-of-Concept (PoC) exploit code. As stated in Project Discovery's report, successful exploitation can "lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality” making immediate patching critical. 

What we’re doing about it

What you should do about it

Additional information

Project Discovery's report states, the issue comes from the postjournal library in Zimbra, which can be attributed to inadequate user input sanitization. Attackers have been attempting to exploit the vulnerability by sending emails spoofing Gmail, sent to "bogus" addresses in the CC fields, in attempt to have the Zimbra server parse and execute them as commands. The examples provided in Proofpoints post on X show base64 strings in the CC field of an email which is executed with the sh utility. 

No CVSS score has been released for CVE-2024-45519 at the time of writing. Based on publicly available details, the eSentire Threat Intelligence team considers this vulnerability to be of critical severity.  

As the vulnerability is trivial to exploit, and PoC exploit code and technical details are publicly available, the eSentire Threat Intelligence team assesses with high confidence that attackers will continue to leverage the vulnerability. 

According to Zimbra’s security advisory, the vulnerability was fixed in versions 9.0.0 Patch 41, 10.0.9, 10.1.1, and 8.8.15 Patch 46.

References:

[1] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
[2] https://blog.projectdiscovery.io/zimbra-remote-code-execution/
[3] https://x.com/threatinsight/status/1841089939905134793 

View Most Recent Advisories