CVE-2024-45519: Hackers Exploit Flaw in Zimbra Mail Servers

Cybersecurity experts are urging the immediate update of Zimbra mail servers as a newly discovered critical vulnerability is already being actively exploited by hackers.

The vulnerability, identified as CVE-2024-45519, was discovered on September 27. Proofpoint reports that attacks on vulnerable servers began the very next day following its disclosure.

According to Project Discovery’s analysis, the issue lies within the postjournal library of Zimbra and stems from insufficient validation of user input. Hackers can insert fake addresses into the CC field of emails, disguising them as Gmail messages. As a result, instead of legitimate addresses, base64-encoded strings appear in the field, which are processed by Zimbra mail servers.

Exploiting the vulnerability allows attackers to gain unauthorized access, escalate privileges, and compromise system security. Project Discovery notes that even unpatched versions of Zimbra offer partial protection against the attack, but minor changes in command syntax allow hackers to bypass this defense.

Proofpoint data indicates that the same servers used to send malicious emails are also being leveraged to download and install malware on compromised systems. Hackers are attempting to establish web shells on vulnerable Zimbra servers, granting them the ability to execute commands and remotely upload files.

Ivan Kwiatkowski, a leading cybersecurity researcher at HarfangLab, has warned that large-scale attacks are already underway, strongly advising Zimbra users to install the updates without delay.

According to Zimbra’s security advisory page, the vulnerability was discovered by Alan Lee, a graduate student from the National Yang Ming Chiao Tung University in Taiwan. Although it has yet to be assigned an official severity rating, Project Discovery researchers have classified it as “critical” due to the severe security risks it poses.