A critical vulnerability tracked as CVE-2024-45519 with a CVSS base score of 9.8, has been identified in Zimbra’s email servers, exposing the servers to remote code execution and full server compromise. Exploiting the vulnerability allows threat actors to drop and execute a webshell giving them complete access to the server. Afterward, they could download and execute files, and send emails that contain malicious code in the CC field, thus compromising a more extensive network.
The vulnerability affects Zimbra’s postjournal service, which processes inbound emails via SMTP. Hackers can exploit this vulnerability by embedding malicious code within the CC field of an email. When the Zimbra Postjournal service processes the email, it inadvertently executes the code, giving attackers control over the system. This vulnerability presents a high-risk vector for extensive network breaches.
HarfangLab researcher Ivan Kwiatkowski first discovered the problem and later cybersecurity company Proofpoint confirmed it. Proofpoint detected active exploitation of the vulnerability on September 28, 2024. This occurred just one day after Project Discovery released a proof-of-concept exploit code for the vulnerability.
Proofpoint detected one campaign using Gmail spoofing techniques, where attackers included Base64-encoded strings in the CC field. When the webshell is installed on the Zimbra server, it listens for an inbound connection, which includes a pre-defined JSESSIONID cookie field. Once the connection is detected, the webshell parses commands from the JACTION cookie, allowing the attacker to remotely control the server.
Zimbra has responded by issuing patches to address this critical vulnerability. The patched versions include:
- Zimbra 9.0.0 Patch 41 and later versions
- Zimbra 10.0.9 and 10.1.1
- Zimbra 8.8.15 Patch 46 and later versions
Organizations using Zimbra should immediately ensure their systems are updated to the latest patched versions. Even if the postjournal service is not enabled on your Zimbra server, applying the patch is crucial to prevent potential exploitation.
In addition to patching, Project Discovery researchers recommend disabling the postjournal service if it is not required. It’s also essential to verify that the Mynetworks configuration is properly set up to block unauthorized access, adding another layer of protection.
Given the severity and active exploitation of the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-45519 in its Known Exploited Vulnerability (KEV) Catalog. The mass exploitation makes patching systems an immediate action for organizations. By patching the vulnerability and following recommended security practices as is also required by HIPAA law, organizations can mitigate the risk of an attack and protect their systems from further exploitation.