Thousands of Zimbra Servers Under Attack: Critical RCE Vulnerability Exploited in Mass Email Campaign

Thousands of Zimbra email servers have recently been targeted in a mass exploitation campaign due to a critical vulnerability tracked as CVE-2024-45519. This vulnerability in the Zimbra Postjournal service allows threat actors to remotely execute commands on compromised servers. The flaw arises from improper input validation in the roadmaps function, leading to arbitrary command execution without the need for authentication. This makes it particularly dangerous, as anyone with network access can exploit the vulnerability, leading to full server compromise and data theft​(SOCRadar® Cyber Intelligence Inc.).

The exploit was first observed actively being abused on September 28, just a day after researchers released a proof-of-concept (PoC) for CVE-2024-45519. Attackers exploit the flaw by sending specially crafted emails, often with malicious commands embedded in the “CC” field. Once processed by the postjournal service, these commands execute on the server, allowing attackers to install webshells and gain persistent access​(SOCRadar® Cyber Intelligence Inc.)​(VULNERA).

The attack method involves sending emails containing base64-encoded strings, which are decoded and executed on the server. Once a webshell is installed, attackers can initiate further actions, such as data theft or additional network compromise. A working exploit script has even been published on GitHub, increasing the risk of widespread attacks against unpatched servers​(VULNERA).

Although Zimbra has released patches for the affected versions (including 9.0.0 Patch 41, 10.0.9, and 8.8.15 Patch 46), the vulnerability remains a significant concern, especially for organizations that have not yet updated their systems. Administrators are strongly advised to apply these patches immediately and, if possible, disable the postjournal service to reduce the attack surface​(SOCRadar® Cyber Intelligence Inc.)​(VULNERA).

To protect against exploitation, administrators should also review network configurations to limit access to trusted IP addresses and integrate security tools to monitor for signs of compromise. The urgency of patching is heightened due to the active nature of the attack and the public availability of exploit scripts​(SOCRadar® Cyber Intelligence Inc.)​(VULNERA).