Cybersecurity researchers are raising alarms about ongoing exploitation attempts targeting a recently disclosed vulnerability in Synacor’s Zimbra Collaboration platform.

According to enterprise security firm Proofpoint, exploitation activity started on September 28, 2024. Attackers are aiming to exploit CVE-2024-45519, a critical flaw in Zimbra’s postjournal service that allows unauthenticated attackers to execute arbitrary commands on vulnerable systems.

“The spoofed emails, posing as Gmail, were sent to fake addresses in the CC fields to trick Zimbra servers into parsing and executing them as commands,” Proofpoint shared in a series of posts on X. The spoofed addresses included Base64-encoded strings that Zimbra executed with the sh utility.

The flaw was patched by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, released on September 4, 2024, thanks to the discovery by security researcher lebr0nli (Alan Li).

Although the postjournal service may not be enabled on all systems, Ashish Kataria, a security engineer at Synacor, emphasized the importance of applying the patch to prevent potential exploitation. As a temporary measure for systems without the patch, removing the postjournal binary could be considered.

Proofpoint also revealed that the CC’d addresses, once decoded, attempt to plant a web shell at /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp, allowing command execution or file downloads over a socket connection.

The exploitation began after Project Discovery published technical details, revealing that the vulnerability stems from unsanitized user input being passed to popen, allowing attackers to inject commands.

In light of these active attacks, it’s critical for Zimbra users to apply the latest patches immediately to safeguard against these threats.