Critical Vulnerability in Zimbra Collaboration Suite (ZCS)

Published on 04 Oct 2024

Zimbra has released security updates addressing a critical vulnerability (CVE-2024-45519) affecting their Zimbra's postjournal service. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

Successful exploitation of the command injection vulnerability can lead to remote code execution (RCE) on Zimbra servers, allowing attackers to execute arbitrary commands and install webshells for persistent backdoor access.

The vulnerability affects the following products:

  • Zimbra Collaboration Suite version 8.8.15 before Patch 46
  • Zimbra Collaboration Suite version 9.0.0 before Patch 41
  • Zimbra Collaboration Suite version 10 before 10.0.9
  • Zimbra Collaboration Suite version 10.1 before 10.1.1

Users and administrators of affected product versions are advised to update to the latest version immediately.

More information is available here:

https://wiki.zimbra.com/wiki/Security_Center

https://nvd.nist.gov/vuln/detail/CVE-2024-45519

https://www.helpnetsecurity.com/2024/10/02/cve-2024-45519-exploited/

https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html