Security & Infrastructure Tools

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

More than 10,000 Zimbra Collaboration Suite installations exposed online remain vulnerable to an ongoing XSS flaw (CVE-2025-48700), risking unauthenticated data exposure via JavaScript in user sessions. Affected versions include ZCS 8.8.15, 9.0, 10.0, and 10.1; patches were released by Synacor in June 2025. CISA has flagged the vulnerability as exploited in the wild and added it to the Known Exploited Vulnerabilities catalog, with federal agencies ordered to patch by April 23, 2026. Shadowserver reports about 10,500 unpatched servers, concentrated in Asia and Europe. The situation echoes past Zimbra abuses by state-backed groups (e.g., APT28, Cozy Bear) in phishing and credential-stealing campaigns, underscoring ongoing risk to governments and enterprises.

TechLogHub

April 24, 2026

Keep Reading

Security & Infrastructure ToolsJun 8, 2026

Reducing security operations complexity with Wazuh Cloud

The article explains how Wazuh Cloud reduces security operations complexity by offering a fully managed, cloud-native SIEM/XDR. It highlights modern SOC challenges—extended onboarding, ongoing maintenance, high alert volumes, scaling constraints, inflexible licensing, and reactive support—across hybrid environments. It then shows how Wazuh Cloud addresses these issues with rapid time-to-value, zero-maintenance backend, an AI-powered Security Analyst, automatic scalability, flexible tiering, and proactive support. The piece describes the agent-server architecture, indexing and data pipeline, the detection engine, and the AI analyst layer, and concludes that Wazuh Cloud lowers MTTD/MTTR, reduces costs, and improves visibility, with an invitation to start a free trial.

Check Point links VPN zero-day attacks to Qilin ransomware gang

Security & Infrastructure Tools

More from the Blog

View all

Security & Infrastructure Tools

Microsoft Adds Copilot Data Controls to All Storage Locations

Microsoft is expanding its data‑loss prevention controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel and PowerPoint documents regardless of where they are stored—whether on local devices or in SharePoint/OneDrive. The update will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026, automatically enabling the restriction for organizations that already have DLP policies set to block Copilot from handling sensitivity‑labeled content. This change follows a bug that had allowed Copilot to summarize confidential emails in users’ Sent Items and Drafts folders despite active DLP protections.

Feb 25, 2026

Security & Infrastructure Tools

Previously harmless Google API keys now expose Gemini AI data

Stay Updated

Get the next deep dive in your inbox

Subscribe for product analysis, engineering explainers, and practical guides published on TechLogHub.

Stay Updated

Get weekly insights, product updates, and launches straight to your inbox.

1) Overview

More than 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online remain vulnerable to ongoing cross-site scripting (XSS) attacks.
The vulnerability, tracked as CVE-2025-48700, affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1.
Exploitation allows unauthenticated attackers to access sensitive information by executing arbitrary JavaScript within a user’s session.
Patches addressing the flaw were released in June 2025, with official advisories noting that exploitation requires no user interaction and can be triggered by simply viewing a malicious email in the Zimbra Classic UI.

2) Affected Versions and Technical Details

Targeted products include Zimbra Core components across ZCS releases 8.8.15, 9.0, 10.0, and 10.1.
The attack surface centers on the HTML body of email messages viewed in vulnerable Zimbra webmail sessions.
The flaw enables attackers to run JavaScript in the context of a victim’s session, potentially exposing cookies, tokens, and other sensitive data without the user’s knowledge or interaction.
The issue is not limited to a single deployment style; both on-premises and cloud-hosted Zimbra instances have been implicated in observed attack activity.

3) Exploitation in the Wild and Attack Scenarios

Shadowserver and civil cyber defense partners report that the majority of exposed but unpatched Zimbra servers are located across Asia and Europe, with thousands more outside these regions remaining vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged CVE-2025-48700 as being abused in the wild and added it to the Known Exploited Vulnerabilities (KEV) catalog, reflecting active exploitation patterns.
In parallel, a separate XSS vulnerability, CVE-2025-66376, was exploited in phishing campaigns tied to state-backed threat actors, targeting Ukrainian government entities and delivering obfuscated JavaScript payloads within plain HTML email content.
A notable phishing operation—codenamed Operation GhostMail by Seqrite Labs—delivered no malicious attachments or links; the entire attack chain resided inside the HTML body of a crafted email, activated when recipients opened the message in a vulnerable Zimbra session.

4) Patch History and Vendor Response

Security patches for CVE-2025-48700 were released by Synacor in June 2025, addressing the vulnerability across affected ZCS versions.
The patch advisory notes that exploitation occurs without user interaction and can be triggered just by viewing a maliciously crafted email in the Classic UI.
In the United States, CISA publicly announced the vulnerability as being actively exploited and subsequently added CVE-2025-48700 to the KEV catalog, underscoring the real-world risk.
Federal Civilian Executive Branch (FCEB) agencies were directed to secure their Zimbra servers within a tight three-day window, with a target completion date set as April 23.

5) Global Impact and Distribution

Shadowserver monitoring shows that over 10,500 Zimbra servers remain exposed online and unpatched, representing a sizable portion of the global ZCS footprint.
Regional distribution highlights a concentration of vulnerable systems in Asia (approximately 3,794 instances) and Europe (approximately 3,793 instances), signaling a broad, international risk posture.
The persistence of unpatched deployments underscores the challenge of timely remediation in diverse environments, including public-sector, enterprise, and service-provider ecosystems.

6) Historical Context: Zimbra and Known Threat Actors

Zimbra flaws have repeatedly attracted attention from various threat actors, including both state-sponsored groups and financially motivated actors, due to the potential to access sensitive communications.
In February 2023, the Winter Vivern group reportedly exploited a reflected XSS flaw in Zimbra webmail portals to exfiltrate NATO-related emails, highlighting long-standing abuse patterns against high-value targets.
In October 2024, security agencies in the U.S. and U.K. warned that APT29 (Cozy Bear, Midnight Blizzard), linked to Russia’s SVR, actively targeted vulnerable Zimbra servers on a mass scale using prior weaknesses to harvest credentials from emails.
The Ukrainian incident series also featured GhostMail-like campaigns that leveraged browser- and email-based vectors to deliver JavaScript payloads without requiring user action beyond opening the message.

7) Campaigns Focused on Critical Infrastructure

The Ukrainian hydrology and related critical infrastructure sectors appeared as high-value targets in earlier campaigns, with threat actors leveraging HTML-based payloads to compromise sessions and access credentials or session data.
Phishing operations emphasized stealth, avoiding traditional malware attachments or links, and instead relying on embedded JavaScript within the email body to execute within a victim’s Zimbra session.
Security researchers noted that these campaigns often used obfuscated JavaScript payloads and relied on the trust users place in familiar email interfaces, increasing the likelihood of successful exploitation.

8) Observations and Trends

XSS flaws in collaboration and email platforms such as Zimbra continue to be attractive targets for adversaries due to the ability to operate within authenticated sessions and retrieve sensitive information.
Exploitation frequently occurs via targeted phishing or mass-exposure campaigns that prioritize HTML-based attack chains over traditional attachment-based methods.
Even after patches are released, a large number of servers remain exposed, indicating a gap between patch availability and broad remediation across enterprise and government deployments.
The convergence of government alerting, KEV catalog inclusion, and ongoing exploitation demonstrates a persistent risk posture for organizations relying on Zimbra in diverse operational contexts.

9) Related Articles and Context

Russian hackers exploit Zimbra flaw in Ukrainian government attacks.
CISA orders federal agencies to patch Zimbra XSS flaw exploited in attacks.
CISA flags a new SD-WAN flaw as actively exploited in attacks.
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks.
Actively exploited Apache ActiveMQ flaw impacting thousands of servers.

10) Summary of Key Facts

CVE-2025-48700 affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1.
Exploitation is unauthenticated and can be triggered by simply viewing a malicious email in the Classic UI.
Patches were issued in June 2025; KEV listing and government advisories followed in 2026.
Affected deployments exceed 10,000 servers globally, with unpatched systems concentrated in Asia and Europe.
Historic campaigns and actors have repeatedly leveraged Zimbra flaws to target government and critical infrastructure sectors, reinforcing the importance of timely remediation and continuous monitoring.

11) Related Data Points and Visual References

Shadowserver statistics and dashboard indicators on vulnerable Zimbra deployments.
CISA Known Exploited Vulnerabilities (KEV) catalog entries for CVE-2025-48700.
Historical notes on prior Zimbra XSS incidents and actor affiliations.
Observed phishing campaigns and Operation GhostMail analyses by Seqrite Labs and security researchers.

12) Closing Context

The ongoing exposure of tens of thousands of Zimbra servers to XSS exploitation highlights a sustained risk to email and collaboration infrastructures worldwide.
Patch adoption and network hardening remain critical to reducing the attack surface and limiting the potential for data exposure in both government and private sector environments.

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

Related Posts

Reducing security operations complexity with Wazuh Cloud

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Get the next deep dive in your inbox

Stay Updated

Check Point links VPN zero-day attacks to Qilin ransomware gang

Oxford University discloses data breach after careers platform hack

Microsoft says bug in classic Outlook hides the mouse pointer

Product

Learn

Company

Legal

Stay Updated

Browse by Category

Stay Updated