ngCERT SECURITY ADVISORY ON REMOTE COMMAND EXECUTION VULNERABILITY IN ZIMBRA COLLABORATION SUITE

Advisory ID:  ngCERT-2025-010008

SUMMARY

ngCERT is aware of a critical Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely used email and collaboration platform. The flaw dubbed (CVE-2024-45519), allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. Successful exploitation could result to system compromise, data theft, and malware infiltration among other malicious activities. Accordingly, users and systems administrators are advised to take proactive steps to safeguard their systems against exploits by threat actors.

CVE:              CVE-2024-45519

Probability:    High

Damage:        Critical

Platform(s):   Zimbra Collaboration Suite

DESCRIPTION

The Zimbra remote code execution flaw exists in Zimbra's postjournal service, which is used to parse incoming emails over SMTP. Threat actors exploit this weakness by sending specially crafted emails with commands to execute in the carbon copy (CC) field, when the postjournal service processes the email. These emails contain base-64 encoded strings that are executed via the 'sh' shell to build and drop a webshell on the Zimbra server. Once the webshell is installed, it listens for inbound connections containing a specific JSESSIONID cookie field. If the correct cookie is detected, the webshell parses another cookie (JACTION) that contains base64-encoded commands to execute. The webshell also supports downloading and executing files on the compromised server. Once installed, the webshell offers full access to the compromised Zimbra server for data theft or to further spread into the internal network. Some of the vulnerable products and versions include, versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1.

CONSEQUENCES

Successful exploitation of the vulnerabilities could lead to:

1. Compromise of entire system.

2. Exfiltration of data.

3. Ransomware infiltration leading to potential financial loss.

4. Service disruption leading to potential Denial of Service (DoS).

SOLUTION/MITIGATION

The following are recommended:

1. Administrators should verify that postjournal is disabled if not required.

2. Ensure that mynetworks is correctly configured to prevent unauthorized access.

3. Apply the latest security updates provided by Zimbra.

REFERENCES

• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
• https://blog.zimbra.com/2025/01/new-patch-for-zimbra-classic-web-client-vulnerability-stay-secure-by-updating/
• https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
• https://projectdiscovery.io/blog/zimbra-remote-code-execution