top of page
perceptive_background_267k.jpg

Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute …

Published:

23 March 2026 at 23:00:00

Alert date:

24 March 2026 at 17:03:37

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications, Email & Messaging

Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a critical command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can exploit this by injecting shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context. This vulnerability poses a high risk as it requires no authentication and allows full system command execution.

Technical details

Mitigation steps:

Affected products:

Zimbra Collaboration Suite (ZCS) PostJournal service

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-71275
https://packetstorm.news/files/id/212108/
https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection
https://www.zimbra.com/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page