10,000+ Zimbra servers exposed to active XSS attacks
▼ Summary
– Over 10,500 Zimbra Collaboration Suite servers remain unpatched and exposed online, with most located in Asia and Europe.
– The vulnerability CVE-2025-48700 affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1, allowing unauthenticated attackers to execute arbitrary JavaScript via malicious email in the Classic UI.
– Synacor released patches in June 2025, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on April 21, ordering federal agencies to patch by April 23.
– State-backed Russian hackers APT28 exploited a separate Zimbra XSS flaw (CVE-2025-66376) in phishing attacks targeting Ukrainian government entities since January 2025.
– Zimbra vulnerabilities are frequently exploited, including past attacks by Winter Vivern (2023) and APT29 (2024) to steal emails and credentials.
More than 10,000 publicly accessible Zimbra Collaboration Suite (ZCS) servers remain vulnerable to active attacks exploiting a cross-site scripting (XSS) vulnerability, as reported by the nonprofit security group Shadowserver.
Zimbra, a widely used email and collaboration platform serving hundreds of millions of users globally,including numerous government agencies and thousands of enterprises,is at the center of this security alert. The flaw, designated CVE-2025-48700, impacts ZCS versions 8.8.15, 9.0, 10.0, and 10.1. It enables unauthenticated attackers to execute arbitrary JavaScript within a user’s session, potentially accessing sensitive information without any user interaction.
Synacor released security patches for CVE-2025-48700 in June 2025, warning that the exploit triggers automatically when a user views a specially crafted email in the Zimbra Classic UI. On Monday, the U. S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation in the wild. CISA also mandated that Federal Civilian Executive Branch (FCEB) agencies secure their Zimbra servers within three days, by April 23.
By Friday, Shadowserver reported that over 10,500 exposed Zimbra servers remain unpatched, with the highest concentrations in Asia (3,794) and Europe (3,793). While CISA did not specify details of CVE-2025-48700 attacks, another XSS vulnerability (CVE-2025-66376), patched in early November, was exploited by the state-backed APT28 (Fancy Bear, Strontium) group. These hackers used phishing attacks targeting Ukrainian government entities starting in January, in a campaign dubbed Operation GhostMail by Seqrite Labs.
The campaign targeted the Ukrainian State Hydrology Agency, a critical infrastructure entity under the Ministry of Infrastructure, delivering an obfuscated JavaScript payload when recipients opened malicious emails in vulnerable Zimbra webmail sessions. “The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email,” Seqrite Labs noted.
Zimbra flaws are frequently exploited in attacks, having compromised thousands of vulnerable email servers in recent years. In February 2023, Russian Winter Vivern cyberespionage actors used a reflected XSS exploit to breach Zimbra webmail portals, stealing emails from NATO-aligned organizations, including military personnel and diplomats. More recently, in October 2024, U. S. and U. K. cyber agencies warned that APT29 (Cozy Bear, Midnight Blizzard), linked to Russia’s Foreign Intelligence Service (SVR), was targeting vulnerable Zimbra servers “at a mass scale,” exploiting a previously abused security issue to steal email account credentials.
(Source: BleepingComputer)
