Thousands of Zimbra Servers Still Open to Active Attack
More than 10,500 Zimbra Collaboration Suite (ZCS) instances reachable over the public internet remain unpatched against a cross-site scripting (XSS) vulnerability that is already being actively exploited, according to data published by the nonprofit internet security watchdog Shadowserver. The finding underscores the persistent gap between patch availability and real-world deployment across the global Zimbra user base.
Zimbra is one of the most widely deployed email and collaboration platforms in the world, used by hundreds of millions of people, including hundreds of government agencies and thousands of private-sector businesses. Its broad adoption makes unpatched instances an attractive target for both nation-state actors and financially motivated threat groups.
CVE-2025-48700: What the Flaw Does and Who Is at Risk
The vulnerability in question is tracked as CVE-2025-48700 and affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1. Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript within a victim's active session, potentially granting access to sensitive information including emails, contacts, and authentication tokens.
A particularly dangerous aspect of the flaw is that it requires no user interaction beyond opening a maliciously crafted email in the Zimbra Classic UI. Attackers do not need to trick victims into clicking links or downloading attachments — simply viewing the message is enough to trigger the exploit.
Synacor, the company behind Zimbra, released security patches addressing CVE-2025-48700 in June 2025, at which point it publicly disclosed that the flaw could be exploited without any user interaction. Despite patches being available for months, a significant portion of internet-facing deployments have not been updated.
CISA Adds the Flaw to Its Known Exploited Vulnerabilities Catalog
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active abuse of CVE-2025-48700 in the wild and formally added it to its Known Exploited Vulnerabilities (KEV) Catalog. The agency cited evidence of real-world exploitation as the basis for the listing.
Alongside the KEV addition, CISA issued a binding directive ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Zimbra servers within just three days — by April 23. The tight deadline reflects the severity of the threat and the speed at which attackers are moving to exploit unpatched systems.
Geographic Breakdown of Exposed Servers
Shadowserver's Friday warning provided a geographic breakdown of the more than 10,500 still-vulnerable Zimbra instances. The largest concentrations were found in:
- Asia: 3,794 unpatched servers
- Europe: 3,793 unpatched servers
The remaining vulnerable instances were distributed across other regions. CISA did not share specific technical details about the ongoing CVE-2025-48700 attacks in its public advisory.
A Related Zimbra XSS Flaw Was Weaponized by APT28
While details about the current CVE-2025-48700 campaign remain limited, the exploitation pattern is consistent with prior Zimbra XSS attacks. A separate but closely related XSS vulnerability — tracked as CVE-2025-66376 and patched in early November — was exploited by the Russian state-backed threat actor APT28, also known as Fancy Bear and Strontium, in a targeted phishing campaign beginning in January.
That campaign, codenamed Operation GhostMail by researchers at Seqrite Labs, targeted Ukrainian government entities, including the Ukrainian State Hydrology Agency — a critical infrastructure entity operating under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support.
The attack method was notable for its stealth. Researchers at Seqrite Labs described it this way:
"The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments."
The campaign delivered an obfuscated JavaScript payload when recipients opened the malicious emails within vulnerable Zimbra webmail sessions — demonstrating just how effective XSS-based attacks against webmail platforms can be when left unaddressed.
A Long History of Zimbra Exploitation
CVE-2025-48700 is far from the first Zimbra vulnerability to be weaponized in high-profile attacks. The platform has been repeatedly targeted by sophisticated threat actors over recent years.
In February 2023, the Russian cyberespionage group Winter Vivern exploited a reflected XSS vulnerability to breach Zimbra webmail portals and steal emails exchanged by NATO-aligned organizations and individuals, including military personnel, government officials, and diplomats.
More recently, in October 2024, U.S. and U.K. cyber agencies issued a joint warning that APT29 — also known as Cozy Bear and Midnight Blizzard, and linked to Russia's Foreign Intelligence Service (SVR) — was targeting vulnerable Zimbra servers "at a mass scale." That campaign exploited a previously abused security issue to steal email account credentials from targeted organizations.
What Administrators Should Do Now
Given the confirmed active exploitation of CVE-2025-48700 and the history of Zimbra being targeted by both nation-state actors and opportunistic attackers, system administrators running any affected version of ZCS should treat patching as an immediate priority. The affected versions — 8.8.15, 9.0, 10.0, and 10.1 — should be updated to the patched releases issued by Synacor in June 2025 without further delay.
Organizations that cannot patch immediately should consider restricting access to Zimbra webmail interfaces, monitoring for anomalous JavaScript execution, and reviewing email logs for signs of maliciously crafted messages targeting the Classic UI.
Source: BleepingComputer