Security researchers have identified a new zero-day attack campaign targeting Zimbra Collaboration Suite (ZCS) that leverages malicious iCalendar (.ICS) file attachments. This campaign, detected through monitoring of unusually large .ICS calendar attachments, represents the latest in a persistent pattern of sophisticated attacks against the widely-used email and collaboration platform.1
The exploitation of Zimbra vulnerabilities has become a consistent threat vector for advanced persistent threat groups targeting government and enterprise organizations globally. These campaigns have repeatedly led to data theft, credential harvesting, and complete server compromise, with threat actors demonstrating sophisticated knowledge of the Zimbra architecture and rapid adoption of zero-day vulnerabilities.2
Historical Context of Zimbra Exploitation
The recent iCalendar file exploitation follows a well-established pattern of Zimbra targeting by sophisticated threat actors. Multiple critical vulnerabilities have been weaponized in recent years, including CVE-2022-41352, an arbitrary file upload vulnerability that was exploited as a zero-day to systematically infect servers in Central Asia.3 Kaspersky researchers noted that this campaign was particularly concerning because disinfection proved extremely difficult, as attackers gained access to configuration files containing service account passwords, allowing persistent access even after webshell removal.
Another significant incident involved CVE-2023-37580, a reflected Cross-Site Scripting vulnerability in the Zimbra Classic Web Client that was exploited in four separate government-targeted campaigns.4 Google’s Threat Analysis Group documented how attackers actively monitored Zimbra’s open-source repositories, with three campaigns occurring after a hotfix was publicly available on GitHub but before most users had applied the official patch. This demonstrates the sophisticated operational security and rapid adaptation capabilities of the threat actors targeting Zimbra infrastructure.
Technical Analysis of Recent Zimbra Vulnerabilities
The most recent critical Zimbra vulnerability, CVE-2024-45519, represents a severe remote code execution flaw with a CVSS score of 9.8.5 This vulnerability exists in Zimbra’s `postjournal` service, which processes inbound emails over SMTP. The flaw stems from an input sanitization error that allows command injection through a specially crafted email with a Base64-encoded malicious payload in the `CC` field instead of a valid email address.
According to Proofpoint researchers, mass exploitation of CVE-2024-45519 began on September 28, 2024, just one day after Project Discovery published a proof-of-concept.6 The attack chain involves sending spoofed emails containing the malicious `CC` field, which then downloads and installs a webshell on the compromised Zimbra server. The deployed webshell listens for inbound HTTP connections with a pre-determined `JSESSIONID` cookie and parses the `JACTION` cookie for Base64-encoded commands to execute.
Attack Infrastructure and Attribution
HarfangLab researcher Ivan Kwiatkowski identified exploit emails originating from IP `79.124.49[.]86` based in Bulgaria.6 Proofpoint’s Greg Lesnewich noted that the use of the same server for sending exploits and hosting payloads suggests a “relatively immature operation,” though the technical sophistication of the exploit development indicates significant capability. This combination of sophisticated exploitation techniques with operational security lapses is characteristic of several known APT groups that target collaboration software.
The Winter Vivern APT group, which has been previously documented exploiting Zimbra XSS flaws including CVE-2022-27926, was also observed exploiting CVE-2023-37580 for two weeks after the GitHub hotfix but before the official patch release.4 North Korea’s Lazarus Group has also been observed targeting unpatched Zimbra servers to steal intelligence, indicating broad interest from multiple nation-state actors in Zimbra vulnerabilities.
Mitigation and Patching Strategies
Zimbra has released patches for CVE-2024-45519 in specific versions including 9.0.0 Patch 41+, 10.0.9+, 10.1.1+, and 8.8.15 Patch 46+.5 The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. Organizations running Zimbra Collaboration Suite should prioritize applying these patches immediately, given the active exploitation in the wild.
Beyond immediate patching, organizations should implement additional security controls including network segmentation, egress filtering, and robust monitoring for suspicious .ICS file attachments. The historical pattern of Zimbra exploitation demonstrates that threat actors frequently target these systems for intelligence collection and persistent access, making comprehensive security monitoring essential for detection and response.
The persistent targeting of Zimbra Collaboration Suite highlights the critical importance of timely patch management and proactive threat hunting in enterprise environments. With multiple advanced threat groups continuously monitoring for and exploiting vulnerabilities in widely-used collaboration platforms, organizations must maintain rigorous security postures that include rapid patch deployment, comprehensive monitoring, and assumption of compromise exercises to identify potential breaches.
