A remote code execution vulnerability in Zimbra’s SMTP (email) server is reportedly being subject to mass exploitation.

The vulnerability at hand is CVE-2024-45519, which is described by Zimbra as a “security vulnerability in the postjournal service which may allow unauthenticated users to execute commands.”

The critical issue was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, which were released on September 4, 2024. Zimbra notes that unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.

Even if you aren’t using the postjournal feature, you still need to apply the patch because it’s theoretically still open for exploitation.

While Zimbra hasn’t disclosed any details about the vulnerability, researchers have discovered that cybercriminals are exploiting it by sending emails with specially crafted CC fields. It seems that vulnerable servers directly incorporate the CC contents into command strings, which are then executed by the postjournal service.

The patch sanitizes the input, so this trick no longer works.

Researchers have also discovered that some attackers have used this flaw to write a web shell on a vulnerable Zimbra server at the location: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp

A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access to an already compromised web application. The web shell planted by the attackers listened for instructions from its operators, was equipped to support command execution, and was also capable of downloading and executing files over a socket connection.

Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system’s integrity and confidentiality.

As is so often the case, it appears the flaw was not widely known before the patch came out, and it was the release of fixes in early September that alerted criminals to the vulnerability’s existence. To demonstrate the alertness of criminals to this kind of opportunity, take a look at this timeline of events:

• Patch issued September 4, 2024.
• Reverse engineering details published September 27, 2024.
• Start of mass exploitation September 28, 2024.

Mitigation

To avoid falling victim to this vulnerability, Zimbra administrators should:

• Use a vulnerability and patch management service to stay on top of available patches.
• Verify that postjournal is disabled if you don’t need it.
• Ensure that mynetworks is correctly configured to prevent unauthorized access.
• Apply the latest security updates provided by Zimbra.