CVE-2024-27442: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A local privilege escalation vulnerability was discovered in Zimbra Collaboration (ZCS) versions 9.0 and 10.0. The vulnerability affects the zmmailboxdmgr binary component, which is designed to be executed by the zimbra user with root privileges for specific mailbox operations. The issue was disclosed and patched in February 2024 (Zimbra Release Notes, NVD).

The vulnerability stems from improper handling of input arguments in the zmmailboxdmgr binary. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions) by NIST and CWE-269 (Improper Privilege Management) by CISA-ADP (NVD).

If exploited, this vulnerability allows an attacker with zimbra user access to escalate privileges to root level, potentially gaining complete control over the affected system. This could lead to unauthorized access to sensitive data and system resources (NVD).

The vulnerability has been patched in Zimbra Collaboration version 10.0.7 and version 9.0.0 Patch 39. Organizations running affected versions should upgrade to these patched versions to mitigate the risk (Zimbra Release Notes, Zimbra Patch Notes).