Recently, hackers have been exploiting a remote code execution (RCE) vulnerability, CVE-2024-45519, in Zimbra email servers. The flaw allows attackers to execute commands by sending specially crafted emails to the server’s simple mail transfer protocol (SMTP), giving them full control over the compromised system.
What happened
Security researchers from Proofpoint confirmed that starting September 28, 2024, attackers began exploiting Zimbra’s post journal service using emails containing malicious code in the "CC" field.
The vulnerability was initially reported by HarfangLab's Ivan Kwiatkowski and later verified by other cybersecurity experts at Proofpoint. Although Zimbra has released patches for affected versions, many systems remain vulnerable to exploitation.
Going deeper
CVE-2024-45519 was disclosed in a report by Project Discovery, along with a proof-of-concept exploit. The vulnerability was identified in the Zimbra postjournal service, a popular email platform many enterprises use. The exploit uses base64-encoded strings executed via the 'sh' shell, the webshell allows file downloads, arbitrary command execution, and data theft.
Related: Most common email server vulnerabilities
What was said
Proofpoint researchers stated, "We saw a spike in mass exploitation of Zimbra servers starting just one day after the proof-of-concept for CVE-2024-45519 was released." They also warned that "organizations using Zimbra should apply the latest patches immediately to avoid possible widespread compromises."
By the numbers
- The vulnerability affects Zimbra versions earlier than 9.0.0 Patch 41.
- At least 10% of the vulnerable servers were exploited within the first week of disclosure.
- Approximately 50,000 email servers are running on Zimbra worldwide, many of which could be unpatched.
Why it matters
Zimbra is widely used by businesses and institutions, including healthcare providers, handling sensitive data. If left unpatched, the vulnerability could lead to data breaches, exposing protected health information (PHI) and violating HIPAA and other compliance standards.
The bottom line
Organizations using Zimbra must immediately upgrade to the latest patched versions to avoid being compromised. Moreover, organizations that handle PHI must regularly patch their cybersecurity and use a HIPAA compliant email solution, like Paubox, to protect themselves against hackers.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What makes an email HIPAA compliant?
An email is HIPAA compliant when it meets the HIPAA requirements for protecting sensitive patient information. Covered entities must use a HIPAA compliant emailing platform with encryption, access controls, and audit trails to safeguard patients' protected health information (PHI) and mitigate data breaches.
Additionally, the platform must sign a business associate agreement (BAA) with the healthcare entity to ensure HIPAA compliance.
How does HIPAA compliant email help with cybersecurity?
HIPAA compliant email, like Paubox, offers audit trails, access controls, and malware scanning. These features track PHI access and limit threat exposure, enhancing security against phishing and malware attacks.
Furthermore, Paubox email meets HIPAA’s Security Rule, helping organizations avoid penalties after a cyber incident.
Kirsten Peremore
