Attackers are leveraging a serious vulnerability in Zimbra mail servers, which are commonly used by medium and large organizations, to carry out remote code execution attacks. This flaw, designated as CVE-2024-45519, allows attackers to execute malicious commands if an administrator has altered the default settings to enable the postjournal service. By sending carefully crafted emails to addresses hosted on the Zimbra server, cybercriminals can exploit this vulnerability and potentially install backdoor access points. Zimbra has issued a patch for this vulnerability, and all users are urged to update their systems immediately or disable the postjournal feature.
The ongoing attacks were first reported by security researcher Ivan Kwiatkowski, detailing what he referred to as “mass exploitation” of the vulnerability. He noted that these attacks originated from the IP address 79.124.49[.]86, which attempted to utilize the curl command-line tool to run a file hosted on that server. Other security experts, including those from the firm Proofpoint, later corroborated his findings, highlighting the rapid dissemination of these malicious emails.
Additional investigation into the attacks suggests that their impact may be limited given the specific conditions under which the vulnerability can be exploited. Default settings must be intentionally altered to open the door for these attacks, potentially reducing the number of exposed servers. Meanwhile, researcher Ron Bowes examined the payload associated with the attacks, revealing that although it downloads a file, it does not execute any further actions. Observing a honey pot server, Bowes noted approximately 500 requests in a single hour attributed to these exploit attempts, yet found no evidence suggesting a severe attack campaign.
In an email update, Proofpoint’s Greg Lesnewich expressed a shared sentiment among researchers that, while the exploitation of this vulnerability is notably easy to execute, it appears unlikely to lead to widespread infections involving ransomware or espionage malware. Notably, exploitation attempts have remained consistent since they were first observed on September 28, and the attacks seem to be both geographically diverse and indiscriminate.
Preparedness is crucial for organizations using Zimbra. Security professionals are advised to monitor email logs for anomalies, particularly in the “To” or “CC” fields that may indicate a malformed format. Malicious actors have been observed to use a single string of email addresses encoded in base64 to deliver webshell-based backdoors to vulnerable Zimbra servers.
From a cybersecurity perspective, the tactics employed in these attacks align with several categories outlined in the MITRE ATT&CK framework. Initial access through phishing emails containing crafted payloads represents a significant tactic, along with potential persistence methods enabled by the installation of backdoors. Business owners are encouraged to take proactive measures by staying informed about these vulnerabilities and ensuring all security patches are applied swiftly to mitigate potential risks.
