Skip to content
Tech News
← Back to articles

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

2026-04-24 | original
read original get Zimbra Security Patch → more articles
Why This Matters

The widespread vulnerability in Zimbra Collaboration Suite highlights a critical security risk for millions of users and organizations worldwide, especially as active exploitation is ongoing. Addressing this flaw is essential to protect sensitive information and prevent targeted cyberattacks, particularly for government agencies and businesses relying on Zimbra. The situation underscores the importance of timely patch management and proactive cybersecurity measures in the industry and for consumers alike.

Key Takeaways

Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver.

Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses.

The vulnerability (tracked as CVE-2025-48700) affects ZCS 8.8.15, 9.0, 10.0, and 10.1 and can allow unauthenticated attackers to access sensitive information after executing arbitrary JavaScript within the user's session​​.

Synacor released security patches to address the flaw in June 2025, when it warned that CVE-2025-48700 exploits require no user interaction and can be triggered when a user views a maliciously crafted email message in the Zimbra Classic UI.

On Monday, CISA flagged CVE-2025-48700 as being abused in the wild and added it to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation.

The U.S. cybersecurity agency also ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Zimbra servers within three days, by April 23.

On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793).

Unpatched Zimbra servers exposed online (Shadowserver)

While CISA didn't share any details about CVE-2025-48700 attacks, another XSS vulnerability (tracked as CVE-2025-66376 and patched in early November) was exploited by the state-backed APT28 (a.k.a. Fancy Bear, Strontium) military hackers in phishing attacks targeting Ukrainian government entities starting in January.

This phishing campaign (codenamed Operation GhostMail by security researchers at Seqrite Labs) also targeted the Ukrainian State Hydrology Agency (a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support) and delivered an obfuscated JavaScript payload when recipients opened the malicious emails in vulnerable Zimbra webmail sessions.

... continue reading

Explore topics: zimbra cve-2025-48700 shadowserver synacor cross-site scripting
Related:
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks
Actively exploited Apache ActiveMQ flaw impacts 6,400 servers
CISA flags Apache ActiveMQ flaw as actively exploited in attacks
CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday
CISA orders feds to patch exploited Fortinet EMS flaw by Friday

© 2026 GoKawiil

About | Editorial Policy | Contact