{"id":169239,"date":"2024-10-02T09:21:33","date_gmt":"2024-10-02T09:21:33","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=169239"},"modified":"2024-10-02T09:21:35","modified_gmt":"2024-10-02T09:21:35","slug":"zimbra-postjournal-flaw-cve-2024-45519-exploited","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/169239\/hacking\/zimbra-postjournal-flaw-cve-2024-45519-exploited.html","title":{"rendered":"Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now!"},"content":{"rendered":"
<\/div>\n

Threat actors attempt to exploit recently disclosed vulnerability CVE-2024-45519 in Synacor’s Zimbra Collaboration.<\/h2>\n\n\n\n

Proofpoint cybersecurity researchers reported that threat actors are attempting to exploit a recently disclosed vulnerability, tracked as CVE-2024-45519, in Synacor’s Zimbra Collaboration.<\/p>\n\n\n\n

Starting on September 28, 2024, threat actors have been attempting to exploit the issue to achieve remote code execution on vulnerable instances.<\/p>\n\n\n\n

Threat actors started exploring the vulnerability after the cybersecurity firm Project Discovery released technical details of the vulnerability and PoC exploit code.<\/p>\n\n\n\n

“Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its\u00a0postjournal<\/code>\u00a0service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.” reads a blog post<\/strong><\/a> published by Project Discovery. “In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually.\u00a0“<\/em><\/gwmw><\/gwmw><\/p>\n\n\n\n

The vulnerability CVE-2024-45519 is a remote code execution vulnerability in Zimbra mail servers that was discovered by the security researcher lebr0nli (Alan Li). Versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1<\/a>\u00a0released on September 4, 2024 address the vulnerability. <\/p>\n\n\n\n

The attackers spoofed Gmail, sending emails with base64 strings to be executed by Zimbra servers. The same server is used to send exploit emails and host second-stage payloads. The experts have yet to identy the threat actor behind this campaign.<\/gwmw><\/gwmw><\/p>\n\n\n\n

\n

Beginning on September 28, @Proofpoint<\/a> began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers.

The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute\u2026 https:\/\/t.co\/VmnQkDypkg<\/a> pic.twitter.com\/RJr9jawwWl<\/a><\/p>— Threat Insight (@threatinsight) October 1, 2024<\/a><\/blockquote>