Thousands of Zimbra servers attacked following email account compromise

Attacks don’t seem to be too effective just yet

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A critical vulnerability has been found in open source collaboration suite Zimbra which allows crooks to run remote code execution on vulnerable servers and deploymalware.

The vulnerability is tracked as CVE-2024-45519, and is only exploitable when default settings are changed, and the postjournal service is enabled. That, luckily, reduces the attack surface significantly, but not entirely. As multiple security researchers confirmed, when this service is enabled, if a threat actor sends a specially-crafted email, the platform will attempt to download and run a file on the server.

The vulnerability seems to be residing in the “to” and “cc” fields - since researchers from Proofpoint advised Zimbra users to look for malformed, or otherwise suspicious strings, in these fields in incoming email messages.

Unreliable attack

The researchers also said the attacks they’ve seen in the wild are massive - just one honeypot received some 500 requests in no more than an hour.

But the vulnerability seems unreliable. The server downloads the malicious file, but then does nothing with it.

“That’s all we’ve seen (so far), it doesn’t really seem like a serious attack,” security Ron Bowes wrote in his analysis of the attack. “I’ll keep an eye on it, and see if they try anything else!”

Zimbra released a patch for the flaw in the final days of September 2024, which researchers from Project Discovery used to release a proof-of-concept (PoC) and show the security community how it can be abused, with mixed results:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Initially, we conducted this test on our own Zimbra server for proof of concept,” the researchers wrote. “However, when attempting to exploit the vulnerability remotely over the internet, we faced failures.”

The first attacks emerged no more than a day later, on September 28.Users are still advised to install the available patch immediately, just in case.

ViaArs Technica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

7 myths about email security everyone should stop believing