Recent Zimbra SMTP Server Vulnerability Being Actively Exploited – Urgent Patching Required

Security researchers have raised alarm bells about a critical vulnerability in Zimbra’s SMTP server that attackers are actively exploiting. The bug, known as CVE-2024-45519, allows remote attackers to execute arbitrary commands on vulnerable systems, potentially taking full control.

Proofpoint researchers have observed attacks targeting this flaw since Sept. 28, with malicious actors sending spoofed emails that appear to be from Gmail to vulnerable Zimbra servers. These emails contain base64-encoded code in the CC field, designed to trick Zimbra into running it as shell commands. This technique can lead to unauthorized command execution on the affected servers.

Threat researcher Ivan Kwiatkowski warns Zimbra users of mass exploitation of the vulnerability and underscores the urgency of patching immediately. Greg Lesnewich of Proofpoint notes that the threat actor behind these attacks is using the same server for both sending exploit emails and hosting the payload, indicating a relatively immature operation.

Researchers at Project Discovery identified the root cause of the vulnerability as input sanitization errors, which allowed for arbitrary command injection. Zimbra has released patches to address the issue, but administrators must apply them promptly to prevent exploitation. Additionally, proper configuration of the mynetworks parameter is crucial to avoid external attacks.

With millions of users relying on Zimbra Collaboration Suite for various communication services, the platform has become a prime target for cyber threats. Previous incidents involving zero-day exploits underscore the importance of timely patching to thwart malicious activities. Organizations are urged to stay vigilant and secure their systems to mitigate risks.