CVE-2025-71275

Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection

Description

Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.

Affected Products

Vendor	Product	Versions
Zimbra	Zimbra Collaboration Suite	8.8.15

References

https://packetstorm.news/files/id/212108/(exploit)
https://www.zimbra.com/(product)
https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection(third-party-advisory)

CVSS 3.19.8 NONE

CISA KEV❌ No

Actively exploited❌ No

CWECWE-78

Published3/24/2026

Last enriched2h ago

Trending Score0

Source articles0

Independent0

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%