Cyber Resilience

CVE-2024-45519

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 October 2024

Published
02 October 2024
Modified
04 November 2025
KEV Added
03 October 2024
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9416 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45519 is a critical-severity OS Command Injection (CWE-78) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an unauthenticated command execution flaw in the postjournal service of Zimbra Collaboration (ZCS). It affects all versions prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, and carries a CVSS 3.1 score of 10.0 with CWE-78 characteristics indicating OS command injection exposure.

Unauthenticated remote attackers can reach the postjournal service over the network and execute arbitrary commands with the privileges of the service, resulting in full confidentiality, integrity, and availability impact on affected Zimbra deployments without any user interaction or authentication.

Zimbra's security advisories and release notes direct administrators to apply the listed patches for each branch, which are documented in the vendor's Security Center and the specific fix entries for 8.8.15/P46, 9.0.0/P41, 10.0.9, and 10.1.1.

The CVE maintains an extremely high EPSS score with a current value of 0.9416 and a recorded peak of 0.9503.

EU & UK References

Vulnerability details

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

CWE(s)
KEV Date Added
03 October 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
10.1.0, 8.8.15, 9.0.0 · ≤ 8.8.15 · 10.0.0 — 10.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the unauthenticated command-execution flaw in postjournal.

prevent

Enforces access-control decisions so the postjournal service cannot be reached by unauthenticated remote actors.

prevent

Requires validation of all input to the postjournal service, blocking the OS command injection (CWE-78) that enables arbitrary execution.

References