Zimbra Vulnerability Exposes Unauthenticated XSS Attacks

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Zimbra Collaboration Suite (ZCS), which is used for email and collaboration software, affecting hundreds of millions of people worldwide. The vulnerabilities include a reflected XSS (cross-site scripting) flaw and another XSS vulnerability that was exploited by state-backed hackers. If exploited, these vulnerabilities can allow attackers to access sensitive information, execute arbitrary JavaScript, and potentially steal email account credentials. The business risk and impact of these vulnerabilities are significant, as they can compromise user data and potentially disrupt business operations.[emaillocker id="1283"]

• CVE-2025-48700: This vulnerability affects ZCS 8.8.15, 9.0, 10.0, and 10.1, allowing unauthenticated attackers to execute arbitrary JavaScript within the user's session, potentially accessing sensitive information.
• CVE-2025-66376: with a CVSS score of 7.5 – This XSS vulnerability was exploited by the state-backed APT28 hackers in phishing attacks targeting Ukrainian government entities, delivering an obfuscated JavaScript payload when recipients opened malicious emails in vulnerable Zimbra webmail sessions.

The exploitation of these vulnerabilities poses a significant risk to affected organizations, potentially resulting in data breaches, disruption of operations, and reputational damage. The urgency of remediation is high, as over 10,500 Zimbra servers remain unpatched, with most of them located in Asia and Europe.

RECOMMENDATION:

• We recommend you to update Zimbra Collaboration Suite (ZCS) to version 10.2 or later, ZCS 9.0 to version 9.0.9 or later, ZCS 8.8.15 to version 8.8.15-p26 or later, and ZCS 10.1 to version 10.1.1 or later.

REFERENCES:

The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/