• Vulnerable U
  • Posts
  • Patch This Critical, Exploited Zimbra Bug (CVE-2024-45519)

Patch This Critical, Exploited Zimbra Bug (CVE-2024-45519)

Author

Newsroom
October 02, 2024

Why It Matters: After a critical remote code execution bug was disclosed in Zimbra mail servers (CVE-2024-45519), security researchers said exploitation attempts have started. 

The Big Picture: The vulnerability exists in the postjournal service and stems from a lack of sanitization of user input, enabling unauthenticated users to potentially execute commands. Zimbra first disclosed the flaw and released fixes last week. Researchers with ProjectDiscovery released an analysis of the flaw containing a proof-of-concept exploit on Sept. 27. This week, researchers confirmed that exploitation attempts started on Sept. 28.

Key Details:

  • An update for the vulnerability is available in versions 9.0.0 Patch 41, 10.0.9, 10.1.1 and 8.8.15 Patch 46

  • Exploitation attempts observed by Proofpoint researchers used emails that were sent to fake email addresses in the CC field, “in an attempt for Zimbra servers to parse and execute them as commands”

  • Proofpoint researchers said the threat actors behind the exploit attempts have been attempting to build a webshell on vulnerable Zimbra servers, which, once installed, supports command execution 

Vendor Response: Zimbra hasn’t released too many further details about the vulnerability at this point. The company’s security bulletin offers the latest releases with patches.

What To Do: Given the vulnerability is critical and under active exploitation (and that Zimbra flaws have previously been targeted by threat actors), users should apply the updates as soon as possible. ProjectDiscovery researchers are also urging users to confirm that the postjournal service is disabled if not required, and to make sure that the mynetworks parameter is correctly configured to block unauthorized access.

Further Reading: