Zimbra XSS Flaw Actively Exploited

CISA warns of an active exploit of a cross-site scripting vulnerability in Zimbra Collaboration Suite (ZCS). The internet security watchdog Shadowserver reporting that more than 10,500 instances exposed online remain unpatched. 

The flaw is tracked as CVE-2025-48700 (CVSS score 6.1), caused by insufficient sanitization of HTML content in the Zimbra Classic UI. Attackers can create tag structures and attribute values that include an @import directive and other script injection vectors. Successful exploitation enables unauthenticated attackers to execute arbitrary JavaScript within a victim's session, potentially leading to unauthorized access to sensitive information such as mailbox contents, multi-factor authentication backup codes, application passwords, and global address book data.

Affected versions of Zimbra Collaboration Suite include ZCS 8.8.15, 9.0, 10.0, and 10.1. 

Synacor released security patches addressing the flaw back in June 2025. Fixed builds are available in ZCS 8.8.15 Patch 47, 9.0.0 Patch 43, 10.0.12, and 10.1.4 and later releases. 

Shadowserver's scans show the bulk of unpatched, internet-exposed servers concentrated in Asia (3,794) and Europe (3,793), leaving a substantial attack surface for opportunistic and targeted threat actors alike.

On April 20, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48700 to its Known Exploited Vulnerabilities (KEV) Catalog based on confirmed evidence of active exploitation, and ordered Federal Civilian Executive Branch (FCEB) agencies to remediate their Zimbra deployments by April 23. 

Administrators are strongly urged to upgrade Zimbra installations to a patched release without delay, audit mail servers for indicators of compromise, and review accounts for signs of unauthorized access, including suspicious mail forwarding rules, recent TGZ exports, and unexpected MFA or application password changes.