The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes
Published: 2024-10-02
Updated: 2025-02-25
Known Exploited Vulnerability (KEV)
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
EPSS: 0.9415
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest