25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Critical Zimbra Flaw Being Mass Exploited

Posted By on Oct 4, 2024

Hackers are mass exploiting a critical command injection vulnerability to gain access to vulnerable Zimbra email servers. Successful exploitation of the flaw allows malicious code to be remotely executed on the Zimbra email server. Threat actors have been exploiting the flaw to drop and execute a webshell on the Zimbra server. Once installed, the webshell provides full access to the Zimbra server, allows the downloading and execution of additional files, and provides the required access for a more extensive network compromise.

The vulnerability is tracked as CVE-2024-45519 (CVSS base score: 9.8) and affects Zimbra’s postjournal service, which parses inbound emails over SMTP. The vulnerability can be exploited by sending a specially crafted email with malicious code in the CC field. A vulnerable Zimbra server will execute the code in the CC field when the postjournal service processes the email. Exploitation of the flaw was first detected by HarfangLab researcher Ivan Kwiatkowski and has also been confirmed by Proofpoint. Proofpoint confirmed it detected exploitation of the flaw in the wild on September 28, 2024, the day after proof-of-concept exploit code was released by Project Discovery.

A campaign has been detected that spoofs Gmail and has base-64 encoded strings of code in the CC field, which are executed by postjournal on the Zimbra server. According to Proofpoint, when installed, the webshell listens for an inbound connection with a pre-determined JSESSIONID cookie field. If present, it will parse the JACTION cookie for Base64 commands.

Zimbra has patched the vulnerability in version 9.0.0 Patch 41 and later versions, versions 10.0.9 and 10.1.1, and Zimbra 8.8.15 Patch 46 and later versions. In addition to ensuring you are running a patched version, the Project Discovery researchers also recommend disabling postjournal if it is not needed and ensuring mynetworks is properly configured to prevent unauthorized access. Even if postjournal is not enabled on the Zimbra server, the patch should be applied.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added the flaw to its Known Exploited Vulnerability (KEV) Catalog. Since the flaw is being mass exploited, immediate patching is essential to prevent exploitation.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist