CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-45519

CVSS 10.0v3.1pub. 2024-10-02upd. 2025-11-04

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

🤖 AI Analysis
How it works

The postjournal service in Zimbra Collaboration Suite contains a command injection vulnerability (CWE-78), which under certain conditions allows unauthenticated users to execute system commands on the server. An attacker can send a specially crafted request to the postjournal service without needing any authentication credentials. Due to the lack of authentication and network accessibility of the service, the vulnerability is exceptionally easy to exploit.

Impact

An attacker can gain full control of the server by executing arbitrary system commands with Zimbra service privileges, leading to compromise of confidentiality, integrity, and availability of the system and potentially all stored email data.

Mitigation & patch

Zimbra Collaboration Suite must be immediately updated to one of the following versions containing security patches: 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, or 10.1.1. Detailed information is available in the official Zimbra Security Center and in the release notes for individual versions.

Who is affected

Synacor Zimbra Collaboration Suite (ZCS) in versions: prior to 8.8.15 Patch 46, 9.x prior to 9.0.0 Patch 41, 10.x prior to 10.0.9, and 10.1.x prior to 10.1.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Synacor Zimbra Collaboration Suite

    APP
    Synacor
    10.1.08.8.159.0.0< 8.8.1510.0.0 – 10.0.9 (bez)

CISA KEV — detailsi

Vendori
Synacor
Producti
Zimbra Collaboration Suite (ZCS)
Added to KEVi
October 3, 2024
Remediation deadline (US Federal)i
October 24, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 24 października 2024
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2023-34192CRITICAL9.0⚠ KEVten sam produkt

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute ar...

CVE-2022-41352CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files t...

CVE-2022-37042CRITICAL9.8⚠ KEVten sam produkt

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and e...

CVE-2020-7796CRITICAL9.8⚠ KEVten sam produkt

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet J...

CVE-2019-9670CRITICAL9.8⚠ KEVten sam produkt

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity inj...