Over 10,000 Zimbra Servers Exposed to Persistent XSS Threats

Post Views: 1

Security Flaw Exposes Thousands of Zimbra Servers to Ongoing XSS Attacks

A significant number of Zimbra Collaboration Suite (ZCS) instances are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to the nonprofit security organization Shadowserver.

Vulnerability Overview

The vulnerability, tracked as CVE-2025-48700, affects versions 8.8.15, 9.0, 10.0, and 10.1 of the ZCS.
The flaw allows unauthenticated attackers to access sensitive information after executing arbitrary JavaScript within the user’s session.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability was identified by Synacor in June 2025, when the company released security patches to address the issue.

However, numerous Zimbra servers remain unpatched, with over 10,500 instances exposed online still vulnerable to attacks.

Exposure Statistics

Mostly located in Asia (3,794) and Europe (3,793).

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48700 to its Known Exploited Vulnerabilities (KEV) Catalog on April 21, citing evidence of active exploitation.

The agency also ordered federal civilian executive branch (FCEB) agencies to secure their Zimbra servers within three days, by April 23.

In a separate incident, the state-sponsored APT28 group, also known as Fancy Bear or Strontium, exploited another XSS vulnerability (CVE-2025-66376) in Zimbra webmail sessions in phishing attacks targeting Ukrainian government entities starting in January.

The phishing campaign, codenamed Operation GhostMail by Seqrite Labs, delivered an obfuscated JavaScript payload when recipients opened the malicious emails in vulnerable Zimbra webmail sessions.

This is not the first time Zimbra vulnerabilities have been exploited in attacks. In February 2023, Russian Winter Vivern cyberespies used a reflected XSS exploit to breach Zimbra webmail portals and steal emails sent and received by NATO-aligned organizations and individuals.

More recently, in October 2024, US and UK cyber agencies warned that APT29 hackers linked to Russia’s Foreign Intelligence Service (SVR) were targeting vulnerable Zimbra servers “at a mass scale,” exploiting a security issue that had been previously abused to steal account credentials.