Zimbra bug causes alarm among researchers, CERTs after exploitation attempts

Multiple cybersecurity agencies in Europe warned about a vulnerability affecting Zimbra’s email product that researchers have confirmed is being exploited to spread malware.

Researchers at email security company Proofpoint said they began to see exploitation of the bug, tracked as CVE-2024-45519, on​​ September 28. Zimbra has released a patch, but several other experts said they are seeing mass targeting of the bug. 

Proofpoint said it saw emails spoofing Gmail “sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands.” Those compromised servers also were used to host additional malware, the company said.

Greg Lesnewich, threat researcher at Proofpoint, said it is unclear who is  targeting the vulnerability and added that the exploitation is “geographically diverse and appears indiscriminate.”

“Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses,” he said. 

National computer emergency response teams (CERTs) in Italy and Latvia have published warnings about the vulnerability while experts have released detailed proof of concept code. Other companies have published maps showing thousands of potentially vulnerable Zimbra instances across Europe. 

The vulnerability has not been added to the U.S. government-run National Vulnerability Database as of Wednesday. The Cybersecurity and Infrastructure Security Agency said it is aware of the CVE but did not have any comment.

Zimbra is a widely used email platform that is a frequent target for both nation-states and cyber criminals. 

Past vulnerabilities affecting Zimbra products were used to attack government agencies in Greece, Tunisia, Moldova, Vietnam and Pakistan.