Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

1) Overview

• More than 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online remain vulnerable to ongoing cross-site scripting (XSS) attacks.
• The vulnerability, tracked as CVE-2025-48700, affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1.
• Exploitation allows unauthenticated attackers to access sensitive information by executing arbitrary JavaScript within a user’s session.
• Patches addressing the flaw were released in June 2025, with official advisories noting that exploitation requires no user interaction and can be triggered by simply viewing a malicious email in the Zimbra Classic UI.

2) Affected Versions and Technical Details

• Targeted products include Zimbra Core components across ZCS releases 8.8.15, 9.0, 10.0, and 10.1.
• The attack surface centers on the HTML body of email messages viewed in vulnerable Zimbra webmail sessions.
• The flaw enables attackers to run JavaScript in the context of a victim’s session, potentially exposing cookies, tokens, and other sensitive data without the user’s knowledge or interaction.
• The issue is not limited to a single deployment style; both on-premises and cloud-hosted Zimbra instances have been implicated in observed attack activity.

3) Exploitation in the Wild and Attack Scenarios

• Shadowserver and civil cyber defense partners report that the majority of exposed but unpatched Zimbra servers are located across Asia and Europe, with thousands more outside these regions remaining vulnerable.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged CVE-2025-48700 as being abused in the wild and added it to the Known Exploited Vulnerabilities (KEV) catalog, reflecting active exploitation patterns.
• In parallel, a separate XSS vulnerability, CVE-2025-66376, was exploited in phishing campaigns tied to state-backed threat actors, targeting Ukrainian government entities and delivering obfuscated JavaScript payloads within plain HTML email content.
• A notable phishing operation—codenamed Operation GhostMail by Seqrite Labs—delivered no malicious attachments or links; the entire attack chain resided inside the HTML body of a crafted email, activated when recipients opened the message in a vulnerable Zimbra session.

4) Patch History and Vendor Response

• Security patches for CVE-2025-48700 were released by Synacor in June 2025, addressing the vulnerability across affected ZCS versions.
• The patch advisory notes that exploitation occurs without user interaction and can be triggered just by viewing a maliciously crafted email in the Classic UI.
• In the United States, CISA publicly announced the vulnerability as being actively exploited and subsequently added CVE-2025-48700 to the KEV catalog, underscoring the real-world risk.
• Federal Civilian Executive Branch (FCEB) agencies were directed to secure their Zimbra servers within a tight three-day window, with a target completion date set as April 23.

5) Global Impact and Distribution

• Shadowserver monitoring shows that over 10,500 Zimbra servers remain exposed online and unpatched, representing a sizable portion of the global ZCS footprint.
• Regional distribution highlights a concentration of vulnerable systems in Asia (approximately 3,794 instances) and Europe (approximately 3,793 instances), signaling a broad, international risk posture.
• The persistence of unpatched deployments underscores the challenge of timely remediation in diverse environments, including public-sector, enterprise, and service-provider ecosystems.

6) Historical Context: Zimbra and Known Threat Actors

• Zimbra flaws have repeatedly attracted attention from various threat actors, including both state-sponsored groups and financially motivated actors, due to the potential to access sensitive communications.
• In February 2023, the Winter Vivern group reportedly exploited a reflected XSS flaw in Zimbra webmail portals to exfiltrate NATO-related emails, highlighting long-standing abuse patterns against high-value targets.
• In October 2024, security agencies in the U.S. and U.K. warned that APT29 (Cozy Bear, Midnight Blizzard), linked to Russia’s SVR, actively targeted vulnerable Zimbra servers on a mass scale using prior weaknesses to harvest credentials from emails.
• The Ukrainian incident series also featured GhostMail-like campaigns that leveraged browser- and email-based vectors to deliver JavaScript payloads without requiring user action beyond opening the message.

7) Campaigns Focused on Critical Infrastructure

• The Ukrainian hydrology and related critical infrastructure sectors appeared as high-value targets in earlier campaigns, with threat actors leveraging HTML-based payloads to compromise sessions and access credentials or session data.
• Phishing operations emphasized stealth, avoiding traditional malware attachments or links, and instead relying on embedded JavaScript within the email body to execute within a victim’s Zimbra session.
• Security researchers noted that these campaigns often used obfuscated JavaScript payloads and relied on the trust users place in familiar email interfaces, increasing the likelihood of successful exploitation.

8) Observations and Trends

• XSS flaws in collaboration and email platforms such as Zimbra continue to be attractive targets for adversaries due to the ability to operate within authenticated sessions and retrieve sensitive information.
• Exploitation frequently occurs via targeted phishing or mass-exposure campaigns that prioritize HTML-based attack chains over traditional attachment-based methods.
• Even after patches are released, a large number of servers remain exposed, indicating a gap between patch availability and broad remediation across enterprise and government deployments.
• The convergence of government alerting, KEV catalog inclusion, and ongoing exploitation demonstrates a persistent risk posture for organizations relying on Zimbra in diverse operational contexts.

9) Related Articles and Context

• Russian hackers exploit Zimbra flaw in Ukrainian government attacks.
• CISA orders federal agencies to patch Zimbra XSS flaw exploited in attacks.
• CISA flags a new SD-WAN flaw as actively exploited in attacks.
• Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks.
• Actively exploited Apache ActiveMQ flaw impacting thousands of servers.

10) Summary of Key Facts

• CVE-2025-48700 affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1.
• Exploitation is unauthenticated and can be triggered by simply viewing a malicious email in the Classic UI.
• Patches were issued in June 2025; KEV listing and government advisories followed in 2026.
• Affected deployments exceed 10,000 servers globally, with unpatched systems concentrated in Asia and Europe.
• Historic campaigns and actors have repeatedly leveraged Zimbra flaws to target government and critical infrastructure sectors, reinforcing the importance of timely remediation and continuous monitoring.

11) Related Data Points and Visual References

• Shadowserver statistics and dashboard indicators on vulnerable Zimbra deployments.
• CISA Known Exploited Vulnerabilities (KEV) catalog entries for CVE-2025-48700.
• Historical notes on prior Zimbra XSS incidents and actor affiliations.
• Observed phishing campaigns and Operation GhostMail analyses by Seqrite Labs and security researchers.

12) Closing Context

• The ongoing exposure of tens of thousands of Zimbra servers to XSS exploitation highlights a sustained risk to email and collaboration infrastructures worldwide.
• Patch adoption and network hardening remain critical to reducing the attack surface and limiting the potential for data exposure in both government and private sector environments.