Low
Moderate
Caution
High
Critical
The National Cyber Coordination and Command Centre (NC4) would like to advise organisations to take precautionary measures regarding a newly identified vulnerability (CVE-2024-45519) in Zimbra Collaboration Suites postjournal service. This vulnerability could allow threat actors to execute arbitrary commands, potentially leading to system compromise.
The Zimbra vulnerability is currently under active exploitation, with observed attacks beginning on 28 September 2024. The exploit utilises command injection in the postjournal service, enabling unauthorised code execution. This poses a risk to any organisation using Zimbra’s email and collaboration platform. Zimbra vulnerabilities are frequently exploited by state-sponsored groups and ransomware gangs, such as MalasLocker, because it is commonly used across government agencies and corporate environments.
CVE-2024-45519 arises from improper handling of unsanitised input in the postjournal binary of Zimbra Collaboration Suite. The vulnerability is triggered by sending specially crafted SMTP messages to Zimbra servers, allowing remote command execution. Proof of Concept (PoC) exploits have been published, demonstrating the severity of this flaw.
The vulnerability is linked to the use of popen within the postjournal service without adequate input sanitisation, creating a potential for command injection. A security expert at Synacor, Zimbra’s parent company, emphasised the importance of applying the patch, even if the postjournal feature is optional or disabled. As a temporary measure, removing the postjournal binary is suggested if immediate patching is not feasible.
Zimbra Collaboration Suite (ZCS) version as below:
Organisations are advised to take the following immediate actions to mitigate the risk of exploitation:
https://www.helpnetsecurity.com/2024/10/02/cve-2024-45519-exploited/
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
https://nvd.nist.gov/vuln/detail/CVE-2024-45519