A critical remote code execution vulnerability in Zimbra’s SMTP server has become the target of active cyber attackers, emphasizing the critical need for affected organizations to immediately patch any vulnerable instances. The vulnerability, known as CVE-2024-45519, affects the Zimbra postjournal service component used for email journaling and archiving. It enables an unauthenticated remote attacker to run arbitrary commands on a vulnerable system and take control of it. Zimbra released updates for affected versions last week without disclosing specific details about the flaw.
According to reports from Proofpoint researchers, attacks exploiting this vulnerability commenced on September 28 and have been ongoing. The cybercriminals behind these attacks are sending spoofed emails that appear to originate from Gmail to vulnerable Zimbra servers. These emails contain base64-encoded malicious code in the CC field instead of valid email addresses. The code is designed to deceive Zimbra into executing it as shell commands rather than processing it as regular email content. This method could potentially allow threat actors to execute unauthorized commands on compromised Zimbra servers.
Proofpoint elaborated that some emails from the malicious sender included a list of CC’d addresses to construct a Web shell on a susceptible Zimbra server. Once established, this Web shell grants remote access to the server through specially crafted HTTP requests, enabling attackers to alter files, access sensitive data, and execute additional arbitrary commands. The cyber threat actors can utilize the Web shell to download and execute malicious code on a compromised system, establishing a backdoor for further malicious activities.
Threat researcher Ivan Kwiatkowski from HarfangLab identified that the malicious emails are originating from the IP address 79.124.49[.]86, seemingly located in Bulgaria. The threat actor is leveraging the same server to both send the exploit emails and host the second-stage payload, indicating a relatively less sophisticated operation. This approach strongly suggests that the threat actor lacks a diversified infrastructure for sending exploit emails and managing infected systems post-exploitation. The volume of attacks has reportedly remained consistent since they began and seems more opportunistic than targeted in nature.
On September 27, researchers from the Project Discovery open-source initiative published a proof-of-concept for the vulnerability, ascribing the issue to inadequate input sanitation practices that enable threat actors to insert arbitrary commands. While Zimbra’s patched software versions have remediated this issue, administrators are strongly advised to promptly apply the latest patches to safeguard their systems. Moreover, correctly configuring the mynetworks parameter is crucial to prevent service exposure to external exploitation due to misconfigurations.
Zimbra Collaboration Suite, widely used by thousands of companies and millions of users for email, calendaring, chat, and video services, has long been a prime target for cyber attacks. In recent incidents, various threat actors leveraged vulnerabilities in Zimbra to target government agencies and organizations worldwide. Notably, in 2023, Chinese APT groups exploited a Zimbra zero-day (CVE-2023-37580) to infiltrate government systems, prompting Zimbra to release a patch a month later. Additionally, North Korea’s Lazarus Group attempted to steal intelligence from healthcare and energy sector organizations by exploiting unpatched Zimbra servers. These incidents underscore the critical importance of promptly addressing security vulnerabilities in Zimbra systems to mitigate the risk of cyber threats exploiting them for malicious purposes.