CVE-2024-45519

What is the Zimbra postjournal Service?

Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform. The postjournal service is an optional Zimbra component that records email communications for compliance and archiving purposes — logging copies of sent and received messages to an external journal server or storage system. It operates as a standalone process that listens for SMTP connections and processes message data passed to it from the mail system.

Because postjournal is an SMTP-facing service, it accepts input from the network. CVE-2024-45519 exposes that input path as a direct OS command injection point — an attacker can send specially crafted SMTP data to postjournal and execute arbitrary operating system commands on the Zimbra server with no authentication required.

Overview

CVE-2024-45519 is an unauthenticated OS command injection in the postjournal service of Zimbra Collaboration Suite. The read_maps function in the postjournal binary passes user-supplied SMTP input directly to popen() without sanitization, allowing an attacker to inject arbitrary shell commands. An attacker exploits this by sending a specially crafted email to a Zimbra server with postjournal enabled — the commands execute as the Zimbra service user with no authentication required.

Affected Versions

Technical Details

The vulnerability is in the postjournal binary (/opt/zimbra/libexec/postjournal), specifically in the read_maps function. When the postjournal service processes an SMTP connection, the msg_handler function processes incoming message data and passes it to read_maps. Inside read_maps, recipient address data from the SMTP session is incorporated into a command string and passed to popen() without any sanitization or escaping.

popen() executes its argument string through a shell (/bin/sh -c <string>). By injecting shell metacharacters into the SMTP recipient field, an attacker causes the shell to execute attacker-controlled commands:

# Simplified illustration of the vulnerable pattern:
char cmd[1024];
snprintf(cmd, sizeof(cmd), "some-program %s", user_input);
popen(cmd, "r");  // user_input is injected without sanitization

The fix replaces popen() with execvp() (which does not invoke a shell and is not susceptible to command injection) and adds input sanitization on the recipient field. The patched version prevents the shell injection entirely.

Attack delivery: An attacker crafts an SMTP message and delivers it directly to the postjournal service port. In the exploitation observed by Proofpoint, attackers sent emails with malicious content in the recipient address field (base64-encoded payloads observed in email headers). The commands execute as the zimbra service user on the server.

Attack characteristics:

• Authentication required: No — SMTP is an unauthenticated protocol
• User interaction: None — the attack is server-side, no user needs to open anything
• Attack complexity: Low
• Scope: Changed — commands execute on the server, crossing the security boundary of the email service

Discovery

CVE-2024-45519 was discovered by security researcher Alan Li (lebr0nli) and reported to Zimbra. Zimbra patched the vulnerability in early September 2024. ProjectDiscovery subsequently reversed the postjournal binary and published a detailed technical analysis and proof-of-concept, confirming the popen() injection path. Mass exploitation began within days of ProjectDiscovery's public disclosure.

Exploitation Context

Proofpoint documented active mass exploitation beginning September 28, 2024 — three weeks after the patch was released but coinciding with public PoC availability. The exploitation campaign sent specially crafted emails with command injection payloads embedded in message headers. The attacker's goal was webshell installation: the injected commands download and write a JSP webshell to the Zimbra web root, providing persistent HTTPS-accessible command execution on the compromised server.

Proofpoint noted an unusual operational security observation: the threat actor was using the same server to both send the exploit emails and host the second-stage payloads — making the attacker infrastructure relatively straightforward to identify. The campaign was unattributed at time of disclosure.

CISA added the CVE to the KEV catalog on October 3, 2024 — the day after NVD publication — one of the shortest intervals between CVE publication and KEV addition, reflecting the urgency of the ongoing mass exploitation.

Remediation

1. Patch immediately: upgrade to ZCS 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, or 10.1.1. Even if postjournal is not enabled, the patch should be applied to prevent exploitation if the service is ever started.
2. Verify postjournal status: check whether postjournal is enabled on your system. If not required for compliance journaling, disable or remove the binary as an additional hardening measure: sudo -u zimbra /opt/zimbra/bin/zmjournalctl disable (or remove the binary from /opt/zimbra/libexec/postjournal).
3. Network isolation: restrict access to the postjournal service port (default: 10028) to only trusted mail relay hosts via firewall rules. The service should not be accessible from the public internet.
4. Hunt for webshells: search the Zimbra web root (/opt/zimbra/jetty/webapps/zimbra/) for JSP files not present in the standard Zimbra installation. Review Zimbra logs at /opt/zimbra/log/ for unusual commands executed via SMTP processing.
5. Monitor for base64-encoded payloads in email headers: detection of base64-encoded strings in the RCPT TO or message header fields of SMTP connections to the postjournal port is a strong indicator of exploitation attempts.