cbcvebase.
CVE-2024-45519
published 2024-10-02

CVE-2024-45519: The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-24
Exploited in the wild
EPSS
99.98%
100.0th percentile
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

Affected

5 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite< 8.8.158.8.15
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 10.0.0 < 10.0.910.0.9

Detection & IOCsextracted from sources · hover to see the quote

port10027
commandsh (base-64 encoded strings executed via 'sh' shell to build and drop a webshell)
snort
alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)"; flow:established,to_server; content:"|0d 0a|RCPT|20|TO|3a 20|"; fast_pattern; content:"|24 28|"; within:200; pcre:"/^RCPT\x20TO\x3a\x20.*?\x24\x28/mi"; reference:cve,2024-45519; classtype:attempted-admin; sid:2056356; rev:2; metadata:created_at 2024_09_30, cve CVE_2024_45519, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 28| within RCPT TO field
  • Monitor SMTP traffic for shell metacharacters (specifically '$(' — 0x24 0x28) injected into the RCPT TO field, which indicates command injection attempts against Zimbra's postjournal service.
  • Attackers spoof Gmail addresses and embed base64-encoded commands in the CC field of emails sent to Zimbra SMTP servers; inspect CC headers for base64 payloads.
  • Hunt for webshell activity on Zimbra servers by monitoring HTTP requests containing both JSESSIONID and JACTION cookies, which are the webshell's trigger and command-delivery mechanism.
  • The exploit targets Zimbra's postjournal service on TCP port 10027; restrict or monitor access to this port from untrusted networks.
  • The root cause is unsanitized input passed to the popen() function; patched versions replace popen with execvp. Presence of popen in postjournal binary indicates a vulnerable version.
  • Over 50,000 web-exposed Zimbra servers were reported as still vulnerable; prioritize internet-facing Zimbra instances for patching and detection coverage.
  • ·The postjournal service is not enabled by default on all Zimbra deployments; disabling it if not required eliminates the attack surface entirely.
  • ·Misconfigured 'mynetworks' settings can allow unauthorized external access to postjournal; ensure mynetworks is restricted to trusted hosts to limit exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.