Which Zimbra versions are affected by this vulnerability?

This stored XSS vulnerability affects ZCS versions 9.0 (patches 1-38) and ZCS version 10.0 (up to 10.0.6). The vulnerability specifically impacts the Classic Web Client interface of Zimbra Collaboration Suite.

How many Zimbra instances are potentially vulnerable?

According to Censys, approximately 129,131 potentially vulnerable ZCS instances were exposed online globally as of May 22, 2025. Researchers also identified 33,614 on-premises Zimbra hosts, many of which are linked to shared infrastructure.

Is this vulnerability being actively exploited?

Yes, this vulnerability is being actively exploited in the wild. It was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, confirming active exploitation. Security researchers from ESET suggest that the Sednit hacking group (also known as APT28 or Fancy Bear) might be behind the exploitation as part of their 'Operation RoundPress' campaign.

How do attackers exploit this vulnerability?

Attackers embed hidden scripts that decode and execute base64-encoded JavaScript when calendar invites are viewed. This creates a sophisticated attack chain that can bypass traditional security measures. The malicious code executes automatically within the user's browser when they open a specially crafted email containing a calendar invitation, potentially compromising their active session and stealing login credentials.

What patches are available for CVE-2024-27443?

Zimbra has released patches addressing this vulnerability in ZCS version 10.0.7 and ZCS version 9.0.0 Patch 39. Organizations using Zimbra Collaboration Suite should update to these patched versions immediately.

What should organizations do to protect against this vulnerability?

Organizations using Zimbra Collaboration Suite are strongly urged to update to the patched versions (ZCS version 10.0.7 or ZCS version 9.0.0 Patch 39) immediately to protect against potential compromise. Given the active exploitation in the wild, this should be treated as a high-priority security update.

Attack

XSS vulnerability in Zimbra collaboration suite under active exploitation

Q: What is CVE-2024-27443 and how does it affect Zimbra?

CVE-2024-27443 is a cross-site scripting (XSS) security vulnerability with a CVSS score of 6.1 that affects the CalendarInvite feature in Zimbra Collaboration Suite (ZCS). The flaw stems from improper input validation in the processing of the X-Zimbra-Calendar-Intended-For header in calendar invitations, allowing attackers to inject malicious JavaScript code that executes automatically when users open specially crafted calendar invitations.

published: May 24, 2025

Take action: Update your Zimbra Collaboration Suite to version 10.0.7 or 9.0.0 Patch 39 ASAP. This flaw is is being actively exploited by hackers who will steal credentials through malicious calendar invitations.

Learn More

A cross-site scripting (XSS) security vulnerability has been identified in the Zimbra Collaboration Suite (ZCS), that affects the CalendarInvite feature and is being actively exploited in the wild.

The flaw is tracked as CVE-2024-27443 (CVSS score 6.1) in the CalendarInvite feature of Zimbra's Classic Web Client interface. It stems from improper input validation in the processing of the X-Zimbra-Calendar-Intended-For header in calendar invitations, allowing attackers to inject malicious JavaScript code. When a user opens a specially crafted email containing a calendar invitation using the classic Zimbra interface, the embedded malicious code executes automatically within their browser, potentially compromising their active session.

This stored XSS vulnerability affects ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).

According to Censys, a cybersecurity insights firm, approximately 129,131 potentially vulnerable ZCS instances were exposed online globally as of May 22, 2025.

Additionally, researchers identified 33,614 on-premises Zimbra hosts, many of which are linked to shared infrastructure. The vulnerability's addition to CISA's Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, confirms that attackers are actively exploiting this flaw.

Security researchers from ESET have suggested that the Sednit hacking group (also known as APT28 or Fancy Bear) might be behind the exploitation of this vulnerability. The group is believed to be utilizing this vulnerability as part of their "Operation RoundPress" campaign, which aims to steal login credentials and maintain persistent access to webmail platforms.

According to technical analysis, the attackers embed hidden scripts that decode and execute base64-encoded JavaScript when calendar invites are viewed, creating a sophisticated attack chain that can bypass traditional security measures.

Zimbra has released patches addressing this vulnerability in:

ZCS version 10.0.7
ZCS version 9.0.0 Patch 39

Organizations using Zimbra Collaboration Suite are strongly urged to update to these patched versions immediately to protect against potential compromise. Given the active exploitation in the wild, this should be treated as a high-priority security update.

XSS vulnerability in Zimbra collaboration suite under active exploitation

Read More
Phishing campaign targeting developers via GitHub uses OAuth …
ClawdBot AI Ecosystem Hit by Massive Supply Chain …
Microsoft warns of 2 year old vulnerability actively …
Ransomware is exploiting Qlik Sense BI platform bugs …
CISA warns of active exploitation of critical Sudo …