Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

A Critical Zimbra Classic Web Client Flaw Exposes Mailboxes to Malicious Emails


Zimbra's Classic Web Client Flaw Exposes Mailboxes to Malicious Emails; Update Now with ZCS v10.1.19

  • Critical vulnerability discovered in Zimbra's Classic Web Client (July 10, 2026), exposing mailbox information, session data, or account settings to malicious emails.
  • Identified as stored XSS (Cross-Site Scripting) and not yet assigned a CVE ID.
  • Fix released by Zimbra with version 10.1.19, recommended for all customers.
  • Vulnerability exploited by Russia-linked APT group (APT28/Fancy Bear/Pawn Storm) in previous campaigns.
  • Attackers used phishing emails to harvest credentials, session tokens, and mailbox data via stored XSS flaw.



  • On July 10, 2026, a critical vulnerability was discovered in Zimbra's Classic Web Client that can expose mailbox information, session data, or account settings to malicious emails. This security issue has been identified as stored XSS (Cross-Site Scripting) and is not yet assigned a CVE ID. The update released by Zimbra fixes this flaw, with version 10.1.19 being the recommended patch for all customers.



    The vulnerability was discovered by Google's Threat Analysis Group. Although there have been no reports of active exploitation at this time, it is highly advised that organizations using the Classic Web Client update to ZCS v10.1.19 as soon as possible to protect against potential attacks. This critical flaw in the Classic Web Client has already been exploited by a Russia-linked APT group, likely APT28, also known as Fancy Bear or Pawn Storm, in previous campaigns.



    Attackers have used this vulnerability to exploit Zimbra's stored XSS flaw in phishing emails, allowing them to silently harvest credentials, session tokens, 2FA codes, saved passwords, and up to 90 days of mailbox data. Once the malicious JavaScript is executed, it exfiltrates stolen data via DNS and HTTPS.



    Operation GhostMail tracked this campaign as a series of attacks against entities in Ukraine using compromised student emails. A phishing email targeted Ukraine's State Hydrology Agency was used to exploit the Zimbra XSS flaw, stealing credentials, tokens, emails, and 2FA data.



    It is highly recommended for organizations using the Classic Web Client to update as soon as possible with version 10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements. This vulnerability highlights the importance of keeping software up-to-date and secure against potential threats.





    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Critical-Zimbra-Classic-Web-Client-Flaw-Exposes-Mailboxes-to-Malicious-Emails-ehn.shtml

  • https://securityaffairs.com/195130/hacking/update-now-critical-zimbra-classic-web-client-flaw-could-expose-mailboxes.html


  • Published: Fri Jul 10 16:16:29 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us