CVE-2025-71275 PUBLISHED

Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection

Assigner: VulnCheck
Reserved: 18.03.2026 Published: 24.03.2026 Updated: 24.03.2026

Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Zimbra
Product Zimbra Collaboration Suite
Versions Default: unaffected
  • Version 8.8.15 is affected

Credits

  • indoushka finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) CWE