CVE-2025-71275 - Vulnerability Details

- Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection

Description

This CVE was rejected due to being a duplicate of CVE-2024-45519.

Published: 2026-03-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Zimbra Collaboration Suite version 8.8.15 contains a command injection flaw that allows attackers to execute arbitrary system commands without authentication. The vulnerability is tied to improper sanitization of the RCPT TO parameter during SMTP transactions, enabling shell expansion syntax to be injected. The weakness corresponds to CWE‑78, which signifies a system command execution vulnerability. Under the Zimbra service context the attacker can run arbitrary code, potentially granting full control over the affected system.

Affected Systems

The vulnerable component is the PostJournal service of Zimbra Collaboration Suite. Only the 8.8.15 release is listed as affected. Administrators should review any installations of ZCS that include this service version and verify whether the patch level is up to date.

Risk and Exploitability

The vulnerability scores a CVSS base of 9.3, indicating critical risk. No EPSS score is available, but the flaw allows unauthenticated remote code execution through SMTP, making it highly likely to be abused if an attacker can reach the server. Because it is not listed in CISA’s KEV catalog, active exploitation may not yet be widespread, yet the lack of authentication requirement gives an attacker a very low barrier to exploitation. The attack vector is the SMTP interface; an attacker only needs to send a crafted RCPT TO command, which the service does not properly validate.

No data.

Vendor Product Confidence Versions

Zimbra

Zimbra Collaboration Suite

100%

Version	Status	Scheme	Platform
`8.8.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Zimbra security update that addresses the PostJournal command injection flaw.
Configure network firewalls or access controls to block unauthenticated SMTP connections from untrusted IP ranges.
Inspect SMTP logs for anomalous RCPT TO commands that include shell expansion characters.
If a patch is not yet available, consider temporarily disabling the PostJournal service or applying a defense‑in‑depth rule to scrub RCPT TO parameters before processing.

Generated by OpenCVE AI on March 24, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact total

References

No reference.

History

Wed, 25 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-78
References	https://packetstorm.news/files/id/212108/ https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection https://www.zimbra.com/
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Wed, 25 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description	Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.	This CVE was rejected due to being a duplicate of CVE-2024-45519.
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zimbra Zimbra zimbra Collaboration Suite
Vendors & Products		Zimbra Zimbra zimbra Collaboration Suite

Tue, 24 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description	A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.	Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.
Weaknesses	CWE-77	CWE-78

Tue, 24 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.
Title		Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection
Weaknesses		CWE-77
References		https://packetstorm.news/files/id/212108/ https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection https://www.zimbra.com/
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Zimbra Zimbra Collaboration Suite

MITRE

Status: REJECTED

Assigner: VulnCheck

Published: 2026-03-24T15:21:05.396Z

Updated: 2026-03-25T15:39:37.827Z

Reserved: 2026-03-18T19:38:57.984Z

Link: CVE-2025-71275

Vulnrichment

Updated: 2026-03-24T15:51:23.780Z

NVD

Status : Rejected

Published: 2026-03-24T16:16:27.593

Modified: 2026-03-25T16:16:08.033

Link: CVE-2025-71275

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:49:58Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object