CVE-2024-45519
Published: 02 October 2024
Summary
CVE-2024-45519 is a critical-severity OS Command Injection (CWE-78) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an unauthenticated command execution flaw in the postjournal service of Zimbra Collaboration (ZCS). It affects all versions prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, and carries a CVSS 3.1 score of 10.0 with CWE-78 characteristics indicating OS command injection exposure.
Unauthenticated remote attackers can reach the postjournal service over the network and execute arbitrary commands with the privileges of the service, resulting in full confidentiality, integrity, and availability impact on affected Zimbra deployments without any user interaction or authentication.
Zimbra's security advisories and release notes direct administrators to apply the listed patches for each branch, which are documented in the vendor's Security Center and the specific fix entries for 8.8.15/P46, 9.0.0/P41, 10.0.9, and 10.1.1.
The CVE maintains an extremely high EPSS score with a current value of 0.9416 and a recorded peak of 0.9503.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41520
Vulnerability details
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
- CWE(s)
- KEV Date Added
- 03 October 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the unauthenticated command-execution flaw in postjournal.
Enforces access-control decisions so the postjournal service cannot be reached by unauthenticated remote actors.
Requires validation of all input to the postjournal service, blocking the OS command injection (CWE-78) that enables arbitrary execution.