Researchers uncovered an active attack on the Zimbra email server application.
According to the team at ProofPoint, threat actors have been sending spam emails loaded with code that aims to exploit the flaw classified as CVE-2024-45519.
In the wild, the attack would manifest itself as a common spam email. Users would open the message and an automated script would then try to run against a Zimbra server hosting the client.
If properly executed, the exploit would allow an attacker to obtain remote code execution on the target server. In practice, this would mean the attacker has total control over the system and the administrators are in for a very bad day.
“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” ProofPoint said via ThreatPost.
“The addresses contained base64 strings that are executed with the sh utility.”
The vulnerability itself was traced back to an error in the way Zimbra’s software handles Postjournal SMTP requests. When a malformed message is sent to the server, a request can be sent without any screening, essentially allowing the attacker to shoot out arbitrary commands on the target server.
“What makes this vulnerability particularly dangerous is that it does not require authentication,” said the team at SOCRadar.
“Anyone with access to the network where the postjournal service is running can exploit the vulnerability, leading to full control of the Zimbra server.”
Unfortunately, it seems that this is one of those occasions where the bad guys caught wind of the issue before the vendors could release a patch.
“Reports of active exploitation have surfaced on Twitter, with security researchers noting widespread attacks targeting vulnerable Zimbra servers,” noted SOCRadar.
Administrators are advised to update their Zimbra servers to the latest release. End users should maintain best practices such as not opening unsolicited emails and avoiding links from dodgy messages.