Cybersecurity researchers are warning of active exploitation attempts targeting a newly disclosed vulnerability in Synacor's Zimbra Collaboration email and collaboration platform.
The flaw, tracked as CVE-2024-45519, could allow unauthenticated attackers to execute arbitrary commands on vulnerable Zimbra installations.
Cybersecurity firm Proofpoint revealed it first observed the malicious activity on September 28, 2024. The attackers are attempting to exploit the vulnerability in Zimbra's postjournal service, using sophisticated techniques to deliver malicious commands.
“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” Proofpoint said in a series of posts on X (formerly Twitter). “The addresses contained Base64 strings that are executed with the sh utility.”
The critical vulnerability was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, which were released on September 4, 2024.
Proofpoint said it uncovered a series of CC'd email addresses used in the attacks. When decoded, these addresses attempt to write a web shell to a vulnerable Zimbra server. The installed web shell listens for an inbound connection with a specific JSESSIONID Cookie field. Once the connection is established, it parses the JACTION cookie for Base64-encoded commands, allowing attackers to execute arbitrary commands via exec or download and run files over a socket connection.
“For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads,” Proofpoint said.
Researchers have yet to attribute the observed activity to a known threat actor or group.
Seeing as the mass exploitation of CVE-2024-45519 has begun, organizations are strongly recommended to patch their Zimbra email servers as soon as possible.
