EUVD-2025-208960
GHSA-4cgv-84wm-gp2c
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.
Analysis
A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.
Technical Context
The vulnerability affects the PostJournal service component of Zimbra Collaboration Suite (CPE: cpe:2.3:a:zimbra:zimbra_collaboration_suite), a widely-deployed enterprise email and collaboration platform. The root cause is CWE-77 (Command Injection), specifically through improper neutralization of special elements used in OS commands within the SMTP protocol handler. The RCPT TO parameter, which normally specifies email recipients, fails to sanitize shell metacharacters such as $() command substitution syntax. When processing SMTP transactions, the service passes unsanitized user input directly to system command execution contexts, allowing attackers to inject arbitrary commands that execute with Zimbra service privileges. This affects the core mail routing infrastructure where SMTP commands are processed before authentication occurs.
Affected Products
Zimbra Collaboration Suite version 8.8.15 is confirmed vulnerable, specifically affecting the PostJournal service component. The vulnerability is identified via CPE cpe:2.3:a:zimbra:zimbra_collaboration_suite:*:*:*:*:*:*:*:* with the wildcard suggesting potential impact across multiple versions in the 8.8.x series. Organizations should consult the official Zimbra vendor site at https://www.zimbra.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection for complete affected version details and vendor confirmation.
Remediation
Organizations running Zimbra Collaboration Suite 8.8.15 should immediately consult the VulnCheck advisory at https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection and Zimbra's official communications at https://www.zimbra.com/ for patch availability and upgrade instructions to a remediated version. Until patching is completed, implement compensating controls including restricting SMTP access to the PostJournal service through firewall rules allowing only trusted mail relay IP addresses, deploying an SMTP proxy or gateway with input validation to filter malicious RCPT TO parameters containing shell metacharacters, and monitoring SMTP logs for command injection attempts (specifically $() syntax in recipient fields). Given the critical nature and public exploit availability, emergency patching should be prioritized over typical change management windows.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today