Security Affairs
INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now!

Threat actors attempt to exploit recently disclosed vulnerability CVE-2024-45519 in Synacor’s Zimbra Collaboration. Proofpoint cybersecurity researchers reported that threat actors are attempting to exploit a recently disclosed vulnerability, tracked as CVE-2024-45519, in Synacor’s Zimbra Collaboration. Starting on September 28, 2024, threat actors have been attempting to exploit the issue to achieve remote code execution on […]

Zimbra CVE-2025-66376

Threat actors attempt to exploit recently disclosed vulnerability CVE-2024-45519 in Synacor’s Zimbra Collaboration.

Proofpoint cybersecurity researchers reported that threat actors are attempting to exploit a recently disclosed vulnerability, tracked as CVE-2024-45519, in Synacor’s Zimbra Collaboration.

Starting on September 28, 2024, threat actors have been attempting to exploit the issue to achieve remote code execution on vulnerable instances.

Threat actors started exploring the vulnerability after the cybersecurity firm Project Discovery released technical details of the vulnerability and PoC exploit code.

“Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.” reads a blog post published by Project Discovery. “In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually. “

The vulnerability CVE-2024-45519 is a remote code execution vulnerability in Zimbra mail servers that was discovered by the security researcher lebr0nli (Alan Li). Versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024 address the vulnerability.

The attackers spoofed Gmail, sending emails with base64 strings to be executed by Zimbra servers. The same server is used to send exploit emails and host second-stage payloads. The experts have yet to identy the threat actor behind this campaign.

“Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.” warned Proofpoint on X. “For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads. The activity is unattributed at this time.”

Some emails from the same sender used CC’d addresses to attempt building a webshell on vulnerable Zimbra servers. The attackers wrapped the full CC list in a string, and concatenating the base64-encoded blobs, they decode to a command to write a webshell to the following URL: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.

Once the webshell is deployed, it listens for connections with a specific JSESSIONID cookie and parses the JACTION cookie for base64 commands. The webshell can execute commands or download and run files via a socket connection.

The availability of a PoC exploit exposes users to the risk of attacks, it is strongly recommended to apply the latest versions as soon as possible.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Zimbra)