Active attacks on a zero day flaw in Zimbra postjournal service, patch now

A critical remote code execution (RCE) vulnerability affecting Zimbra's SMTP server is being actively exploited by attackes.

The flaw, tracked as CVE-2024-45519 (CVSS score 9.8) exists in Zimbra’s postjournal service component, responsible for email journaling and archiving. The vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on vulnerable Zimbra instances, potentially leading to full system compromise. The flaw results from improper input sanitization, enabling attackers to inject arbitrary commands through crafted email inputs.

Attacks began on September 28, 2024. According to Proofpoint, attackers initiated campaigns targeting Zimbra servers by sending spoofed emails designed to exploit the flaw.

The attackers send emails that appear to be from Gmail, embedding base64-encoded malicious code in the CC field. This code is processed by Zimbra, allowing attackers to execute it as shell commands. The goal is often to install Web shells on compromised servers.

The installed Web shell enables remote access via HTTP requests, allowing attackers to execute arbitrary commands, modify files, access sensitive data, and download or run additional malicious payloads. The Web shell listens for incoming requests using a JSESSIONID cookie and parses commands from a JACTION cookie.

The attacks were observed originating from 79.124.49[.]86, a server in Bulgaria. Both the exploit emails and the second-stage payload are being handled by the same server, indicating a relatively unsophisticated attack setup.

A proof-of-concept (PoC) was released by Project Discovery on September 27, 2024.

Zimbra quickly issued patches to fix the vulnerability addressing the input sanitization issue. The update neutralizes the vulnerability by preventing command injection.

Researchers and Zimbra urge administrators to immediately apply the latest patches. Failure to do so exposes systems to mass exploitation, which has already begun.