Over 10,000 Zimbra servers at risk of ongoing XSS assaults

Over 10,000 Zimbra Collaboration Suite (ZCS) circumstances uncovered on-line are at risk of ongoing assaults exploiting a cross-site scripting (XSS) safety flaw, in line with nonprofit safety group Shadowserver.

Zimbra is a well-liked electronic mail and collaboration device suite utilized by masses of thousands and thousands of other people international, together with masses of presidency companies and hundreds of companies.

The vulnerability (tracked as CVE-2025-48700) impacts ZCS 8.8.15, 9.0, 10.0, and 10.1 and will permit unauthenticated attackers to get entry to delicate knowledge after executing arbitrary JavaScript inside the consumer’s consultation​​.

Synacor launched safety patches to deal with the flaw in June 2025, when it warned that CVE-2025-48700 exploits require no consumer interplay and may also be induced when a consumer perspectives a maliciously crafted electronic mail message within the Zimbra Vintage UI.

On Monday, CISA flagged CVE-2025-48700 as being abused within the wild and added it to its Identified Exploited Vulnerabilities (KEV) Catalog, in accordance with proof of lively exploitation.

The U.S. cybersecurity company additionally ordered Federal Civilian Govt Department (FCEB) companies to safe their Zimbra servers inside of 3 days, by way of April 23.

On Friday, Web safety watchdog Shadowserver additionally warned that over 10,500 Zimbra servers uncovered on-line stay unpatched, maximum of them in Asia (3,794) and Europe (3,793).

Whilst CISA did not percentage any information about CVE-2025-48700 assaults, any other XSS vulnerability (tracked as CVE-2025-66376 and patched in early November) used to be exploited by way of the state-backed APT28 (a.okay.a. Fancy Endure, Strontium) army hackers in phishing assaults focused on Ukrainian executive entities beginning in January.

This phishing marketing campaign (codenamed Operation GhostMail by way of safety researchers at Seqrite Labs) additionally focused the Ukrainian State Hydrology Company (a vital infrastructure entity below the Ministry of Infrastructure that gives navigational, maritime, and hydrographic beef up) and delivered an obfuscated JavaScript payload when recipients opened the malicious emails in inclined Zimbra webmail classes.

“The phishing electronic mail has no malicious attachments, no suspicious hyperlinks, no macros. All of the assault chain lives throughout the HTML frame of a unmarried electronic mail, there are not any malicious attachments,” Seqrite Labs mentioned on the time.

Zimbra flaws are continuously exploited in assaults and feature been used to breach hundreds of inclined electronic mail servers in recent times.

As an example, Russian Iciness Vivern cyberespies used any other mirrored XSS exploit to breach Zimbra webmail portals in February 2023 and thieve emails despatched and won by way of NATO-aligned organizations and people, together with army body of workers, executive officers, and diplomats.

Extra not too long ago, in October 2024, U.S. and U.Okay. cyber companies warned that APT29 (a.okay.a. Comfy Endure, Middle of the night Snow fall) hackers related to Russia’s International Intelligence Provider (SVR) had been focused on inclined Zimbra servers “at a mass scale,” exploiting a safety factor that were up to now abused to thieve electronic mail account credentials.