top of page
perceptive_background_267k.jpg

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

Published:

24 April 2026 at 13:35:33

Alert date:

24 April 2026 at 14:01:06

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Email & Messaging, Zero-Day Vulnerabilities, Enterprise Applications

Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw. CISA has confirmed active exploitation of this vulnerability affecting thousands of servers worldwide. The XSS vulnerability allows attackers to execute malicious scripts in users' browsers when they interact with compromised Zimbra instances. This represents a significant security risk for organizations using Zimbra for email and collaboration services. The widespread nature of the vulnerability and active exploitation makes this a critical security concern requiring immediate patching and remediation efforts.

Technical details

CVE-2025-48700 is a cross-site scripting (XSS) vulnerability affecting Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1. The vulnerability allows unauthenticated attackers to access sensitive information by executing arbitrary JavaScript within the user's session. The exploit requires no user interaction and can be triggered when a user views a maliciously crafted email message in the Zimbra Classic UI. Over 10,500 vulnerable Zimbra servers are exposed online, with most located in Asia (3,794) and Europe (3,793). The attack payload is delivered through obfuscated JavaScript contained entirely within the HTML body of a single email, with no malicious attachments or suspicious links required.

Mitigation steps:

Apply security patches released by Synacor in June 2025 to address CVE-2025-48700. Federal Civilian Executive Branch (FCEB) agencies were ordered by CISA to secure their Zimbra servers within three days by April 23. Organizations should update to the latest patched versions and monitor for malicious email messages containing JavaScript payloads.

Affected products:

Zimbra Collaboration Suite (ZCS) 8.8.15
Zimbra Collaboration Suite (ZCS) 9.0
Zimbra Collaboration Suite (ZCS) 10.0
Zimbra Collaboration Suite (ZCS) 10.1

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-48700
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories#:~:text=CVE-2025-48700
https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700
https://bsky.app/profile/shadowserver.bsky.social/post/3mkaam37lbc25
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other_range&d1=2026-04-21&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&dataset=unique_ips&group_by=geo&stacking=stacked&auto_update=on
https://nvd.nist.gov/vuln/detail/CVE-2025-66376
https://blog.zimbra.com/2025/11/patch-release-update-zimbra-10-1-13-10-0-18/
https://www.bleepingcomputer.com/news/security/russian-apt28-military-hackers-exploit-zimbra-flaw-in-ukrainian-govt-attacks/
https://www.bleepingcomputer.com/news/security/winter-vivern-hackers-exploit-zimbra-flaw-to-steal-nato-emails/
https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/
https://www.bleepingcomputer.com/news/security/hackers-are-actively-exploiting-password-stealing-flaw-in-zimbra/

Related CVE's:

Related threat actors:

IOC's:

Obfuscated JavaScript payload in email HTML body, Maliciously crafted email messages targeting Zimbra Classic UI

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page