Advisory ID: ngCERT-2025-010008
SUMMARY
ngCERT is aware of a critical Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely used email and collaboration platform. The flaw dubbed (CVE-2024-45519), allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. Successful exploitation could result to system compromise, data theft, and malware infiltration among other malicious activities. Accordingly, users and systems administrators are advised to take proactive steps to safeguard their systems against exploits by threat actors.
CVE: CVE-2024-45519
Probability: High
Damage: Critical
Platform(s): Zimbra Collaboration Suite
DESCRIPTION
The Zimbra remote code execution flaw exists in Zimbra's postjournal service, which is used to parse incoming emails over SMTP. Threat actors exploit this weakness by sending specially crafted emails with commands to execute in the carbon copy (CC) field, when the postjournal service processes the email. These emails contain base-64 encoded strings that are executed via the 'sh' shell to build and drop a webshell on the Zimbra server. Once the webshell is installed, it listens for inbound connections containing a specific JSESSIONID cookie field. If the correct cookie is detected, the webshell parses another cookie (JACTION) that contains base64-encoded commands to execute. The webshell also supports downloading and executing files on the compromised server. Once installed, the webshell offers full access to the compromised Zimbra server for data theft or to further spread into the internal network. Some of the vulnerable products and versions include, versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1.
CONSEQUENCES
Successful exploitation of the vulnerabilities could lead to:
1. Compromise of entire system.
2. Exfiltration of data.
3. Ransomware infiltration leading to potential financial loss.
4. Service disruption leading to potential Denial of Service (DoS).
SOLUTION/MITIGATION
The following are recommended:
1. Administrators should verify that postjournal is disabled if not required.
2. Ensure that mynetworks is correctly configured to prevent unauthorized access.
3. Apply the latest security updates provided by Zimbra.
REFERENCES
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://blog.zimbra.com/2025/01/new-patch-for-zimbra-classic-web-client-vulnerability-stay-secure-by-updating/
- https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
- https://projectdiscovery.io/blog/zimbra-remote-code-execution