Thursday , June 5 2025
zimbra

Patch it now!
Critical Zimbra RCE flaw exploited: Needs Immediate Patching

Hackers are exploiting a recently revealed RCE vulnerability in Zimbra email servers that can be activated by sending specially crafted emails to the SMTP server.

CVE-2024-45519 is a remote code execution vulnerability in Zimbra’s postjournal service, which handles incoming emails via SMTP. Attackers can exploit this flaw by sending emails with commands in the CC field, causing the postjournal service to execute those commands.

CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed

IBM has issued a security advisory for vulnerabilities in its QRadar Suite Software and Cloud Pak for Security platforms. These...
Read More
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed

ALERT
Thousands of IP addresses compromised nationwide: CIRT warn

As Bangladesh prepares for the extended Eid-ul-Adha holidays, the BGD e-GOV Computer Incident Response Team (CIRT) has issued an urgent...
Read More
ALERT  Thousands of IP addresses compromised nationwide: CIRT warn

New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries

In March 2025, the Threatfabric mobile Threat Intelligence team identified Crocodilus, a new Android banking Trojan designed for device takeover....
Read More
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries

Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Qualcomm has issued security patches for three zero-day vulnerabilities in the Adreno GPU driver, affecting many chipsets that are being...
Read More
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Critical RCE Flaw Patched in Roundcube Webmail

Roundcube Webmail has fixed a critical security flaw that could enable remote code execution after authentication. Disclosed by security researcher...
Read More
Critical RCE Flaw Patched in Roundcube Webmail

Hacker claim Leak of Deloitte Source Code & GitHub Credentials

A hacker known as "303" claim to breach the company's systems and leaked sensitive internal data on a dark web...
Read More
Hacker claim Leak of Deloitte Source Code & GitHub Credentials

CISA Issued Guidance for SIEM and SOAR Implementation

CISA and ACSC issued new guidance this week on how to procure, implement, and maintain SIEM and SOAR platforms. SIEM...
Read More
CISA Issued Guidance for SIEM and SOAR Implementation

Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities....
Read More
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

Australia enacts mandatory ransomware payment reporting

New ransomware payment reporting rules take effect in Australia yesterday (May 30) for all organisations with an annual turnover of...
Read More
Australia enacts mandatory ransomware payment reporting

Why Govt Demands Foreign CCTV Firms to Submit Source Code?

Global makers of surveillance gear have clashed with Indian regulators in recent weeks over contentious new security rules that require...
Read More
Why Govt Demands Foreign CCTV Firms to Submit Source Code?

Threat actors began exploiting the vulnerability after Project Discovery released its technical details and proof of concept (PoC) exploit code.

“Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.” reads a blog post published by Project Discovery.

The vulnerability was discovered by the security researcher lebr0nli (Alan Li). Versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024 address the vulnerability.

Attackers spoofed Gmail to send emails with base64 strings executed by Zimbra servers. These servers also send exploit emails and host further payloads. The identity of the threat actor behind this campaign remains unclear.

“Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.” warned Proofpoint on X. “For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads. The activity is unattributed at this time.”

Emails from one sender used CC’d addresses to try to create a webshell on vulnerable Zimbra servers. The attackers combined the CC list into a string, and when decoded from base64, it contained a command to write a webshell at the URL: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.

After deployment, the webshell listens for connections using a specific JSESSIONID cookie and interprets the JACTION cookie for base64 commands. It can execute commands or download and run files through a socket connection.

The availability of a PoC exploit exposes users to the risk of attacks, it is strongly recommended to apply the latest versions as soon as possible.

Source: Proofpoint, Securityaffair

Check Also

ASUS routers

CVE-2023-39780
Botnet hacks thousands of ASUS routers

GreyNoise has discovered a campaign where attackers have gained unauthorized access to thousands of internet-exposed …

Leave a Reply

Your email address will not be published. Required fields are marked *