Zimbra's Classic Web Client Flaw Exposes Mailboxes to Malicious Emails; Update Now with ZCS v10.1.19
On July 10, 2026, a critical vulnerability was discovered in Zimbra's Classic Web Client that can expose mailbox information, session data, or account settings to malicious emails. This security issue has been identified as stored XSS (Cross-Site Scripting) and is not yet assigned a CVE ID. The update released by Zimbra fixes this flaw, with version 10.1.19 being the recommended patch for all customers.
The vulnerability was discovered by Google's Threat Analysis Group. Although there have been no reports of active exploitation at this time, it is highly advised that organizations using the Classic Web Client update to ZCS v10.1.19 as soon as possible to protect against potential attacks. This critical flaw in the Classic Web Client has already been exploited by a Russia-linked APT group, likely APT28, also known as Fancy Bear or Pawn Storm, in previous campaigns.
Attackers have used this vulnerability to exploit Zimbra's stored XSS flaw in phishing emails, allowing them to silently harvest credentials, session tokens, 2FA codes, saved passwords, and up to 90 days of mailbox data. Once the malicious JavaScript is executed, it exfiltrates stolen data via DNS and HTTPS.
Operation GhostMail tracked this campaign as a series of attacks against entities in Ukraine using compromised student emails. A phishing email targeted Ukraine's State Hydrology Agency was used to exploit the Zimbra XSS flaw, stealing credentials, tokens, emails, and 2FA data.
It is highly recommended for organizations using the Classic Web Client to update as soon as possible with version 10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements. This vulnerability highlights the importance of keeping software up-to-date and secure against potential threats.