CVE-2025-71275

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite (ZCS) version 8.8.15

Description The Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection issue. Unauthenticated attackers can execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context. The vulnerability is triggered through the SMTP protocol, specifically targeting the RCPT TO parameter.

Recommendations Update Zimbra Collaboration Suite (ZCS) to a version beyond 8.8.15.