CVE-2025-71275

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Mar 24, 2026

Vendor unknown

Description

Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.

References

https://packetstorm.news/files/id/212108/
https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection
https://www.zimbra.com/