Cybersecurity researchers have raised alarms about active exploitation of a critical Remote Code Execution (RCE) vulnerability in Zimbra, a widely deployed open-source email and collaboration platform. Tracked as CVE-2024-45519, the flaw is being exploited at scale through specially crafted SMTP emails, with no authentication required.
Understanding the Vulnerability
CVE-2024-45519 affects the Zimbra postjournal service, which parses incoming SMTP emails. Attackers exploit the flaw by embedding malicious shell commands inside the CC field of a specially formatted email. When the postjournal service processes the message, those commands execute with the privileges of the Zimbra process — granting unauthenticated remote code execution on the server.
Exploitation in the Wild
Security experts from HarfangLab and Proofpoint reported observing mass exploitation beginning September 28, 2024 — just one day after ProjectDiscovery researchers published a detailed technical analysis and a proof-of-concept (PoC) exploit. The rapid weaponization of the PoC underscores the urgency of patching.
Attack Methodology
Attackers are sending malicious emails disguised as Gmail notifications. The CC field contains fake addresses with embedded base64-encoded payloads. When the postjournal service processes the email, it decodes and executes the payload, creating a persistent web shell on the Zimbra server. The web shell listens for incoming connections authenticated by a specific JSESSIONID cookie, then executes attacker commands passed via a second cookie (JACTION). This establishes a covert command-and-control channel inside the compromised mail server.
Organizations Running Unpatched Zimbra with Postjournal Exposed
Any organization running an unpatched Zimbra installation with the postjournal service enabled is at risk. Affected versions include:
- All Zimbra 9.x versions prior to 9.0.0 Patch 41
- Zimbra 10.x versions prior to 10.0.9 and 10.1.1
- Zimbra 8.8.15 versions prior to Patch 46
Zimbra is widely used by government agencies, universities, healthcare organizations, and enterprises. Any exposed SMTP endpoint running the vulnerable postjournal service is susceptible to exploitation without user interaction.
Patching CVE-2024-45519: Immediate Zimbra Remediation Steps
Cybersecurity experts strongly advise system administrators to take the following actions immediately:
- Apply the latest security patches — upgrade to Zimbra 9.0.0 Patch 41+, 10.0.9+, 10.1.1+, or 8.8.15 Patch 46+ as appropriate for your deployment
- Disable the postjournal service if it is not operationally required — this eliminates the attack surface entirely
- Restrict the mynetworks setting to trusted IP ranges to limit which hosts can communicate with the postjournal port (10027/tcp)
- Search for web shells on the Zimbra server — look for recently created .jsp files and unexpected files in the webapps directory
- Review SMTP logs for emails with anomalous CC fields or base64-encoded content in address fields dating from late September 2024 onward
Technical Details of the Vulnerability
ProjectDiscovery researchers reverse-engineered the Zimbra patch and found that the vulnerable popen() function — which directly accepted unsanitized user input — was replaced with execvp() featuring dedicated input sanitization. However, researchers confirmed that the postjournal service on port 10027 remained reachable via direct SMTP connections, enabling arbitrary command execution before the sanitization layer was reached. The NVD entry for CVE-2024-45519 rates the vulnerability as critical severity.
