10,500 Zimbra Servers Remain Vulnerable to Active XSS Attacks

Key Takeaways

• Over 10,500 Zimbra servers remain unpatched against CVE-2025-48700, an actively exploited XSS flaw
• The attack requires no user interaction beyond viewing a malicious email in Zimbra Classic UI
• CISA gave federal agencies just three days to patch, signaling the threat's severity

Over 10,500 Zimbra email servers exposed to the internet remain vulnerable to an actively exploited cross-site scripting flaw, according to nonprofit security organization Shadowserver. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Monday, confirming attacks are happening now.

The flaw, tracked as CVE-2025-48700, affects Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1. Synacor released patches in June 2025. Ten months later, thousands of servers remain exposed.

No Clicks Required: How the Attack Works

What makes CVE-2025-48700 dangerous is its simplicity. The attack requires no user interaction. No malicious attachments. No suspicious links. No macros. The entire attack chain lives inside the HTML body of a single email.

When a user views a maliciously crafted email in the Zimbra Classic UI, arbitrary JavaScript executes within their session. This lets unauthenticated attackers access sensitive information without the victim taking any action beyond opening an email.

Global Exposure: Asia and Europe Hit Hardest

Shadowserver's scan found unpatched Zimbra servers concentrated in two regions. Asia accounts for 3,794 vulnerable servers. Europe has 3,793. The remaining 2,900+ are scattered across other regions.

Zimbra is popular with government agencies and businesses. Hundreds of millions of people use the email and collaboration suite worldwide. That install base makes unpatched servers attractive targets.

CISA's Three-Day Deadline

CISA ordered Federal Civilian Executive Branch agencies to secure their Zimbra servers by April 23. That gave agencies just three days from the Monday announcement. The tight deadline signals how seriously CISA views active exploitation.

CISA did not share details about who is exploiting CVE-2025-48700 or what targets they are hitting. But a related Zimbra XSS flaw offers clues about who might be interested.

APT28's Zimbra Campaign: A Preview

A separate Zimbra XSS vulnerability, CVE-2025-66376, was patched in early November. Security researchers at Seqrite Labs found that Russian state-backed hackers APT28 (also known as Fancy Bear or Strontium) had been exploiting it since January.

The campaign, codenamed Operation GhostMail, targeted Ukrainian government entities. One target was the Ukrainian State Hydrology Agency, a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support.

“The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments.”

— Seqrite Labs

The payload was an obfuscated JavaScript that executed when recipients opened malicious emails in vulnerable Zimbra webmail sessions. This attack pattern matches what CVE-2025-48700 enables.

Zimbra's Recurring Security Problems

Zimbra flaws are frequently exploited. The platform has a history of being targeted by sophisticated actors.

In February 2023, Russian Winter Vivern cyberespies used a reflected XSS exploit to breach Zimbra webmail portals. They stole emails from NATO-aligned organizations and individuals, including military personnel, government officials, and diplomats.

Organizations running Zimbra should treat any XSS vulnerability as high priority. The pattern is clear: state-backed attackers actively hunt for unpatched Zimbra servers.

What to Do Now

1. Check your Zimbra version. CVE-2025-48700 affects ZCS 8.8.15, 9.0, 10.0, and 10.1.
2. Apply Synacor's June 2025 patches immediately if you have not already.
3. Audit logs for suspicious email activity, particularly in the Zimbra Classic UI.
4. Consider whether the Zimbra Classic UI is necessary. If not, disable it.
5. Monitor Shadowserver and CISA feeds for updates on this and related vulnerabilities.

Frequently Asked Questions

What is CVE-2025-48700?

It is a cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite that allows attackers to execute arbitrary JavaScript when a user views a malicious email in the Zimbra Classic UI. No user interaction beyond opening the email is required.

Which Zimbra versions are affected?

ZCS versions 8.8.15, 9.0, 10.0, and 10.1 are all vulnerable. Synacor released patches in June 2025.

Is CVE-2025-48700 being actively exploited?

Yes. CISA added it to the Known Exploited Vulnerabilities catalog on April 21, 2026, confirming active exploitation in the wild.

How many Zimbra servers are still vulnerable?

Shadowserver found over 10,500 unpatched Zimbra servers exposed online, with the highest concentrations in Asia (3,794) and Europe (3,793).

Who is exploiting Zimbra vulnerabilities?

A related Zimbra XSS flaw was exploited by APT28 (Fancy Bear), a Russian state-backed hacking group, in phishing campaigns against Ukrainian government entities. Winter Vivern, another Russian-linked group, targeted NATO-aligned organizations through Zimbra exploits in 2023.

Source: BleepingComputer