2 October 2024

Recently patched critical Zimbra vulnerability actively exploited in the wild


Recently patched critical Zimbra vulnerability actively exploited in the wild

Cybersecurity researchers are warning of active exploitation attempts targeting a newly disclosed vulnerability in Synacor's Zimbra Collaboration email and collaboration platform.

The flaw, tracked as CVE-2024-45519, could allow unauthenticated attackers to execute arbitrary commands on vulnerable Zimbra installations.

Cybersecurity firm Proofpoint revealed it first observed the malicious activity on September 28, 2024. The attackers are attempting to exploit the vulnerability in Zimbra's postjournal service, using sophisticated techniques to deliver malicious commands.

“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” Proofpoint said in a series of posts on X (formerly Twitter). “The addresses contained Base64 strings that are executed with the sh utility.”

The critical vulnerability was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, which were released on September 4, 2024.

Proofpoint said it uncovered a series of CC'd email addresses used in the attacks. When decoded, these addresses attempt to write a web shell to a vulnerable Zimbra server. The installed web shell listens for an inbound connection with a specific JSESSIONID Cookie field. Once the connection is established, it parses the JACTION cookie for Base64-encoded commands, allowing attackers to execute arbitrary commands via exec or download and run files over a socket connection.

“For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads,” Proofpoint said.

Researchers have yet to attribute the observed activity to a known threat actor or group.

Seeing as the mass exploitation of CVE-2024-45519 has begun, organizations are strongly recommended to patch their Zimbra email servers as soon as possible.

Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024