CVE-2024-45519: 
Zimbra Collaboration Server vulnerability analysis and mitigation

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. This vulnerability was discovered in September 2024 and is tracked as CVE-2024-45519 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue exists in the postjournal service which processes SMTP messages. The vulnerability allows command injection through specially crafted SMTP RCPT TO commands using $() syntax for command execution (ProjectDiscovery Blog).

This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. The critical severity rating and high impact scores across confidentiality, integrity, and availability indicate that successful exploitation could lead to complete system compromise (NVD).

Zimbra has released patches to address this vulnerability in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1. Organizations are strongly advised to upgrade to these patched versions. CISA has set a remediation date of October 24, 2024, for federal agencies to apply the fixes (Security Center).