Security Affairs reports that ongoing attacks leveraging the maximum severity remote code execution flaw in Zimbra Collaboration, tracked as CVE-2024-45519, have prompted the bug's inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, with federal agencies urged to remediate the issue by October 24.
Such a development comes after the vulnerability was discovered by Proofpoint to be leveraged in intrusions beginning September 28, following the release of its proof-of-concept exploit code and technical information by Project Discovery. Attacks involved the impersonation of Gmail to deliver base64 string-containing emails that would be executed by Zimbra servers, which have also been used for second-stage payload hosting, according to Proofpoint, which did not attribute the intrusions to a specific threat actor. "The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility," said Proofpoint.
