Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.
Articles & Coverage 1
AnalysisAI
A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.
Technical ContextAI
The vulnerability affects the PostJournal service component of Zimbra Collaboration Suite (CPE: cpe:2.3:a:zimbra:zimbra_collaboration_suite), a widely-deployed enterprise email and collaboration platform. The root cause is CWE-77 (Command Injection), specifically through improper neutralization of special elements used in OS commands within the SMTP protocol handler. The RCPT TO parameter, which normally specifies email recipients, fails to sanitize shell metacharacters such as $() command substitution syntax. When processing SMTP transactions, the service passes unsanitized user input directly to system command execution contexts, allowing attackers to inject arbitrary commands that execute with Zimbra service privileges. This affects the core mail routing infrastructure where SMTP commands are processed before authentication occurs.
RemediationAI
Organizations running Zimbra Collaboration Suite 8.8.15 should immediately consult the VulnCheck advisory at https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection and Zimbra's official communications at https://www.zimbra.com/ for patch availability and upgrade instructions to a remediated version. Until patching is completed, implement compensating controls including restricting SMTP access to the PostJournal service through firewall rules allowing only trusted mail relay IP addresses, deploying an SMTP proxy or gateway with input validation to filter malicious RCPT TO parameters containing shell metacharacters, and monitoring SMTP logs for command injection attempts (specifically $() syntax in recipient fields). Given the critical nature and public exploit availability, emergency patching should be prioritized over typical change management windows.
More in Zimbra Collaboration Suite
View allDirectory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zim
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. Rated medium severity (CVSS 5.4), this vuln
Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to exe
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Rated critical severity (CVSS 9.8), this vulnerabi
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts fi
Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalat
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x b
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts file
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9,
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enab
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary co
Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Pat
Same weakness CWE-77 – Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208960
GHSA-4cgv-84wm-gp2c