2 October 2024

Recently patched critical Zimbra vulnerability actively exploited in the wild


Recently patched critical Zimbra vulnerability actively exploited in the wild

Cybersecurity researchers are warning of active exploitation attempts targeting a newly disclosed vulnerability in Synacor's Zimbra Collaboration email and collaboration platform.

The flaw, tracked as CVE-2024-45519, could allow unauthenticated attackers to execute arbitrary commands on vulnerable Zimbra installations.

Cybersecurity firm Proofpoint revealed it first observed the malicious activity on September 28, 2024. The attackers are attempting to exploit the vulnerability in Zimbra's postjournal service, using sophisticated techniques to deliver malicious commands.

“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” Proofpoint said in a series of posts on X (formerly Twitter). “The addresses contained Base64 strings that are executed with the sh utility.”

The critical vulnerability was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, which were released on September 4, 2024.

Proofpoint said it uncovered a series of CC'd email addresses used in the attacks. When decoded, these addresses attempt to write a web shell to a vulnerable Zimbra server. The installed web shell listens for an inbound connection with a specific JSESSIONID Cookie field. Once the connection is established, it parses the JACTION cookie for Base64-encoded commands, allowing attackers to execute arbitrary commands via exec or download and run files over a socket connection.

“For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads,” Proofpoint said.

Researchers have yet to attribute the observed activity to a known threat actor or group.

Seeing as the mass exploitation of CVE-2024-45519 has begun, organizations are strongly recommended to patch their Zimbra email servers as soon as possible.

Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024