Cybersecurity researchers are warning about attempts to exploit a newly disclosed security flaw in Synacor’s Zimbra Collaboration. Proofpoint has observed this activity starting on September 28, 2024. The attacks target CVE-2024-45519, a severe security flaw in Zimbra’s postjournal service that could allow unauthenticated attackers to execute arbitrary commands on affected installations.
The emails spoof Gmail addresses in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained Base64 strings that are executed with the sh utility.
Zimbra has addressed the critical issue in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024. A security researcher named lebr0nli (Alan Li) discovered and reported the flaw.
It is important to apply the patch to prevent potential exploitation, even if the postjournal feature is not enabled on most systems. In cases where the patch cannot be immediately applied, removing the postjournal binary could be considered as a temporary measure.
Proofpoint has identified a series of CC’d addresses attempting to write a web shell on vulnerable Zimbra servers. The web shell looks for inbound connections with a specific JSESSIONID Cookie field and can execute commands via exec or download and execute files over a socket connection.
The attacks do not have a known attribution yet. To protect against these threats, users are advised to apply the latest patches as soon as possible.