19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra’s postjournal service, identified as CVE-2024-45519, has left over 19,600 public Zimbra installations exposed to remote code execution attacks.

This vulnerability, with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations, posing a significant threat to the security and integrity of these systems.

Scans conducted on October 6, 2024, revealed a widespread presence of unpatched Zimbra instances across the globe.

The top three countries with the highest number of vulnerable installations are Germany (1.6K), the United States (1.6K), and Russia (1.5K).

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

This widespread vulnerability underscores the urgent need for Zimbra administrators to apply the latest security patches.

CVE-2024-45519 is an OS command injection vulnerability in Zimbra’s postjournal service, which is used for recording email communications.

The flaw arises from improper input validation in the read_maps function, where user input is directly passed to the popen function without adequate sanitization. This allows attackers to inject arbitrary commands, which are then executed by the server.

Reports of active exploitation have surfaced, with attackers sending emails that spoof Gmail addresses and contain base64-encoded strings in the CC fields.

These strings, once decoded, are executed as commands by vulnerable Zimbra servers, leading to the installation of webshells that provide persistent backdoor access to compromised systems.

Mitigations

To mitigate this threat, Zimbra administrators are strongly advised to apply the latest security patches provided by Zimbra.

Versions 8.8.15, Patch 46, 9.0.0, Patch 41, 10.0.9, and 10.1.1 have been released to address this vulnerability.

Additionally, administrators should ensure that the postjournal service is disabled if not required and the mynetworks parameter is correctly configured to prevent unauthorized access.

The critical nature of CVE-2024-45519 and its active exploitation highlight the importance of timely patch application and robust security measures.

Zimbra administrators must act swiftly to secure their systems and prevent severe breaches.

Key Recommendations:

• Patch Immediately: Apply the latest security patches provided by Zimbra.
• Disable Postjournal: If not required, disable the postjournal service.
• Configure Mynetworks: Ensure the mynetworks parameter is correctly configured to prevent unauthorized access.
• Stay Informed: Regularly check for and apply security updates to maintain system security.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar