Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed Zimbra Collaboration Suite servers remain vulnerable to CVE-2025-48700, an actively exploited cross-site scripting flaw that affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the Zimbra Classic UI. Synacor released patches in June 2025, but Shadowserver still reported roughly 10,500 exposed unpatched systems, with the largest concentrations in Asia and Europe.
CISA has added CVE-2025-48700 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including APT28, APT29, and Winter Vivern against Ukrainian entities, NATO-aligned organizations, and other targets.
Timeline
Apr 24, 2026
Shadowserver reports over 10,500 exposed unpatched Zimbra servers
Shadowserver observed more than 10,500 internet-exposed Zimbra servers still unpatched and vulnerable to CVE-2025-48700, with the highest concentrations in Asia and Europe. The finding showed that large-scale exposure persisted despite patches having been available since June 2025.
Apr 20, 2026
CISA adds CVE-2025-48700 to KEV and orders federal remediation
CISA added CVE-2025-48700 to its Known Exploited Vulnerabilities catalog after determining it was being actively exploited in the wild. The agency directed Federal Civilian Executive Branch agencies to secure affected Zimbra servers within three days, with remediation due by April 23, 2026.
Jun 1, 2025
Synacor releases patches for Zimbra XSS flaw CVE-2025-48700
Synacor released security updates in June 2025 to fix CVE-2025-48700, a cross-site scripting vulnerability affecting multiple Zimbra Collaboration Suite versions. The flaw can let unauthenticated attackers execute JavaScript in a victim's session when a malicious email is viewed in the Classic UI.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog
**CISA** added **CVE-2025-66376** to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation of a **stored cross-site scripting (XSS)** flaw in **Synacor Zimbra Collaboration Suite (ZCS)**. The vulnerability affects the *Classic UI* and allows remote unauthenticated attackers to abuse CSS `@import` directives embedded in email HTML, creating a path to execute malicious JavaScript in a victim's browser session. The KEV entry describes the issue as a **CWE-79** XSS vulnerability and directs organizations to apply vendor mitigations, follow **BOD 22-01** guidance for cloud services, or discontinue use if mitigations are unavailable. CISA ordered **Federal Civilian Executive Branch (FCEB)** agencies to remediate the flaw by **April 1**, while also urging private-sector organizations to patch quickly because the bug is being exploited in the wild. Reporting on the KEV addition notes that the flaw was patched by Zimbra earlier and could enable session hijacking and theft of sensitive data within affected Zimbra environments through malicious HTML email content. The same KEV update also included other unrelated vulnerabilities, but the Zimbra entry is the relevant event tied to the active exploitation warning and federal patching directive.
1 months ago
Zimbra Zero-Day Exploited via Malicious ICS Files Targeting Brazilian Military
A critical security vulnerability in Zimbra Collaboration Suite, tracked as CVE-2025-27915, was exploited as a zero-day in targeted cyberattacks against the Brazilian military. The flaw, a stored cross-site scripting (XSS) vulnerability in the Classic Web Client, resulted from insufficient sanitization of HTML content in ICS (iCalendar) calendar files. Attackers leveraged this vulnerability by sending malicious ICS files embedded with JavaScript code, which executed when a user viewed an email containing the crafted calendar entry. The JavaScript payload enabled arbitrary code execution within the victim's session, allowing attackers to perform unauthorized actions such as setting email filters to redirect messages to attacker-controlled addresses. This facilitated data exfiltration, including the theft of credentials, emails, contacts, and shared folders from compromised Zimbra accounts. The malicious campaign involved threat actors spoofing the Libyan Navy's Office of Protocol to deliver the exploit to Brazilian military targets. The ICS files used in the attack were notably large and contained obfuscated JavaScript, often encoded in Base64 to evade detection. The payload was designed to operate asynchronously and utilized Immediately Invoked Function Expressions (IIFEs) for execution. Researchers at StrikeReady Labs discovered the attack by monitoring for unusually large ICS attachments containing JavaScript. The campaign began at the start of January 2025, prior to Zimbra releasing patches for the vulnerability. Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025, but did not initially disclose that the vulnerability had been exploited in the wild. The attack also included mechanisms to hide certain user interface elements, further reducing the likelihood of detection by end users. The malicious script searched for emails in specific folders and added filter rules named "Correo" to forward messages to a ProtonMail address controlled by the attackers. The exfiltrated data was sent to an external server, ffrk[.]net, under the attackers' control. The exploitation of this vulnerability highlights the risks associated with insufficient input sanitization in webmail platforms and the effectiveness of social engineering tactics, such as spoofing trusted entities. The incident underscores the importance of timely patching and monitoring for anomalous file attachments in email systems. Security researchers recommend organizations using Zimbra Collaboration Suite apply the latest patches and review email filtering rules for signs of compromise. The attack demonstrates the evolving sophistication of threat actors in leveraging zero-day vulnerabilities for targeted espionage campaigns against high-value organizations.
1 months ago
APT28 Exploits Zimbra XSS Flaw to Breach Ukrainian Government Webmail
**APT28**, the Russia-linked threat group associated with the GRU, used a phishing campaign dubbed *Operation GhostMail* to target Ukrainian government entities by exploiting **Zimbra Collaboration Suite** vulnerability `CVE-2025-66376`. The campaign targeted the **State Hydrographic Service of Ukraine**, a critical infrastructure body supporting maritime navigation and hydrographic operations. The attack used a single email written in Ukrainian and disguised as a routine internship inquiry; instead of relying on attachments or links, the malicious payload was embedded directly in the HTML body and executed when opened in a vulnerable Zimbra webmail session. Researchers said the stored XSS flaw allowed attackers to run obfuscated JavaScript in the victim’s browser, enabling theft of login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords, and up to 90 days of mailbox data. Reporting also notes the flaw was patched in November and later added by **CISA** to its **Known Exploited Vulnerabilities** catalog, with U.S. federal civilian agencies ordered to remediate within two weeks under `BOD 22-01`. The operation stood out for abusing a trusted webmail environment to hijack authenticated sessions without deploying traditional malware, helping the intrusion evade many standard phishing and endpoint defenses.
1 months ago