"Patch yesterday" is the advice from infosec researchers as the latest critical vulnerability affecting Zimbra mail servers is now being mass-exploited.
The remote code execution vulnerability (CVE-2024-45519) was disclosed on September 27, along with a proof of concept (PoC) exploit, and Proofpoint reports that attacks using it began the following day.
According to Project Discovery's analysis of the issue, the fault lies in Zimbra's postjournal library and can be attributed to inadequate user input sanitization.
Attackers can, and evidently are, adding bogus CC addresses to emails that spoof Gmail. Instead of legitimate email addresses, CC fields are populated with base64 strings, which are then parsed and executed by Zimbra's mail servers.
"Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality," the researchers said.
Project Discovery's report notes that while unpatched Zimbra versions offer a degree of protection from this attack, it can be bypassed with a small syntax tweak in the command.