What happened
More than 10,500 Zimbra Collaboration Suite servers exposed to the internet remain unpatched against a cross-site scripting vulnerability that CISA confirmed is being actively exploited, adding it to its Known Exploited Vulnerabilities catalog on April 20, 2026. FCEB agencies were ordered to patch within three days, by April 23.
The vulnerability, tracked as CVE-2025-48700, affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1. It allows unauthenticated attackers to execute arbitrary JavaScript within a user’s browser session by sending a specially crafted email. No user interaction beyond opening the email in Zimbra’s Classic UI is required. Synacor patched the flaw in June 2025, meaning servers still running unpatched versions have been exposed for nearly a year. Shadowserver identified over 10,500 vulnerable instances still online, concentrated primarily in Asia and Europe with 3,794 and 3,793 servers respectively.
CISA has not disclosed details about the specific attacks exploiting CVE-2025-48700, but the broader pattern of Zimbra XSS exploitation is well established. A separate Zimbra XSS flaw, CVE-2025-66376, was exploited by APT28 in phishing attacks against Ukrainian government entities starting in January 2026, in a campaign researchers named Operation GhostMail. That campaign delivered obfuscated JavaScript payloads through emails with no attachments, no links, and no macros, with the entire attack chain embedded in the HTML body of a single email. Russian cyberespionage group Winter Vivern exploited another Zimbra XSS flaw in 2023 to steal NATO-aligned emails, and APT29 was warned against targeting vulnerable Zimbra servers at mass scale in October 2024.
Who is affected
Any organization running unpatched ZCS versions 8.8.15, 9.0, 10.0, or 10.1 with internet-exposed instances is directly vulnerable. Zimbra is used by hundreds of government agencies and thousands of businesses worldwide, making the exposure pool both large and high-value. The geographic concentration of unpatched servers in Asia and Europe means organizations in those regions face the most immediate risk.
Why CISOs should care
Zimbra XSS vulnerabilities have been a reliable tool for state-sponsored actors across multiple campaigns and multiple years. APT28, APT29, and Winter Vivern have all used Zimbra flaws to access government and military email. The no-interaction, email-body-only attack chain demonstrated in Operation GhostMail is particularly concerning because it bypasses the attachment and link-scanning controls most organizations rely on as primary email defenses. With over 10,500 servers still unpatched nearly a year after the fix was available, the exploitable population remains substantial.
3 practical actions
- Patch CVE-2025-48700 immediately if running any affected ZCS version: Synacor released fixes in June 2025. Any ZCS instance on versions 8.8.15, 9.0, 10.0, or 10.1 that has not been updated is actively vulnerable to confirmed in-the-wild exploitation and should be treated as an emergency patching priority.
- Audit whether Zimbra Classic UI is enabled and restrict access where possible: The vulnerability is triggered specifically through the Zimbra Classic UI. Assess whether your deployment requires Classic UI access and restrict or disable it where it is not operationally necessary while patches are applied.
- Review email security controls for HTML-body-only attack chains: The Operation GhostMail campaign delivered its full payload in the HTML body of a single email with no attachments or links. Confirm that your email security tooling inspects HTML content and JavaScript embedded in message bodies, not just attachments and URLs.
Also in the news today:
- Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
- Firestarter Malware Survives Cisco Firewall Updates and Security Patches
- ADT Confirms Data Breach After ShinyHunters Leak Threat
- Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite
- Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
- NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software
- Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
