Thousands of Zimbra servers attacked following email account compromise

Shutterstock.com / kanlaya wanon
(Image credit: Shutterstock)

A critical vulnerability has been found in open source collaboration suite Zimbra which allows crooks to run remote code execution on vulnerable servers and deploy malware.

The vulnerability is tracked as CVE-2024-45519, and is only exploitable when default settings are changed, and the postjournal service is enabled. That, luckily, reduces the attack surface significantly, but not entirely. As multiple security researchers confirmed, when this service is enabled, if a threat actor sends a specially-crafted email, the platform will attempt to download and run a file on the server.

The vulnerability seems to be residing in the “to” and “cc” fields - since researchers from Proofpoint advised Zimbra users to look for malformed, or otherwise suspicious strings, in these fields in incoming email messages.

Unreliable attack

The researchers also said the attacks they’ve seen in the wild are massive - just one honeypot received some 500 requests in no more than an hour.

But the vulnerability seems unreliable. The server downloads the malicious file, but then does nothing with it.

"That's all we've seen (so far), it doesn't really seem like a serious attack,” security Ron Bowes wrote in his analysis of the attack. “I'll keep an eye on it, and see if they try anything else!”

Zimbra released a patch for the flaw in the final days of September 2024, which researchers from Project Discovery used to release a proof-of-concept (PoC) and show the security community how it can be abused, with mixed results:

“Initially, we conducted this test on our own Zimbra server for proof of concept,” the researchers wrote. “However, when attempting to exploit the vulnerability remotely over the internet, we faced failures.”

The first attacks emerged no more than a day later, on September 28. Users are still advised to install the available patch immediately, just in case.

Via Ars Technica

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments