Ethical Hacking News
Over 10,000 Zimbra servers have been identified as vulnerable to ongoing cross-site scripting (XSS) attacks, with the majority located in Asia and Europe. This widespread vulnerability poses a significant threat to email and collaboration software users worldwide, highlighting the need for urgent patching and cybersecurity measures.
Zimbra servers with vulnerability CVE-2025-48700 are at risk of ongoing cross-site scripting (XSS) attacks. The vulnerability affects versions 8.8.15, 9.0, 10.0, and 10.1 of ZCS. Over 10,500 unpatched Zimbra servers remain exposed worldwide, with most located in Asia and Europe. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for Federal civilian agencies to secure their Zimbra servers within three days. State-backed actors are exploiting this vulnerability through phishing campaigns. Organizations must apply patches and implement additional security measures to protect against exploitation. Users should exercise caution when interacting with potentially malicious emails or webmail sessions.
The recent revelation that over 10,000 Zimbra servers are susceptible to ongoing cross-site scripting (XSS) attacks has sent shockwaves throughout the cybersecurity community. The vulnerability, tracked as CVE-2025-48700, affects versions of ZCS 8.8.15, 9.0, 10.0, and 10.1, posing a significant threat to email and collaboration software users worldwide.
Zimbra, developed by Synacor, is widely used by hundreds of millions of individuals and organizations across the globe, including numerous government agencies and businesses. This widespread adoption makes the vulnerability particularly concerning, as unpatched instances can provide unauthorized access to sensitive information. The attack vector involves executing arbitrary JavaScript within a user's session, which requires no user interaction.
Shadowserver, a nonprofit security organization, has taken notice of this critical vulnerability, warning that over 10,500 Zimbra servers remain exposed and unpatched, with the majority located in Asia (3,794) and Europe (3,793). This information has been added to Shadowserver's database, which continuously tracks vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also taken action regarding this vulnerability. CISA flagged CVE-2025-48700 as being abused in the wild, categorizing it under its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. Furthermore, CISA issued an order to Federal Civilian Executive Branch (FCEB) agencies, requiring them to secure their Zimbra servers within three days by April 23. This directive underscores the urgency and importance of addressing this vulnerability.
The use of Zimbra Collaboration Suite has been a frequent target for exploitation in recent years due to its widespread adoption and the vulnerabilities it contains. Previous instances have included Russian Winter Vivern cyberespies breaching Zimbra webmail portals in February 2023, stealing emails from NATO-aligned organizations and individuals, including military personnel, government officials, and diplomats. More recently, U.S. and U.K. cyber agencies warned about APT29 (a.k.a. Cozy Bear, Midnight Blizzard) hackers targeting vulnerable Zimbra servers "at a mass scale," exploiting the same security issue that had previously been abused to steal email account credentials.
The exploitation of this XSS vulnerability is attributed to state-backed actors, with phishing campaigns being used as a vector for delivery. In January 2026, security researchers at Seqrite Labs identified an APT28 (a.k.a. Fancy Bear, Strontium) campaign known as Operation GhostMail, which targeted Ukrainian government entities using malicious emails with obfuscated JavaScript payloads delivered to vulnerable Zimbra webmail sessions.
Given the severity and ongoing nature of this vulnerability, it is imperative for all organizations that use Zimbra Collaboration Suite to address this issue as soon as possible. This includes applying patches released by Synacor in June 2025 and implementing additional security measures to protect against potential exploitation.
Furthermore, users are advised to exercise caution when interacting with potentially malicious emails or webmail sessions. Ensuring that all software is up-to-date, utilizing reputable antivirus software, and maintaining robust cybersecurity practices can help mitigate the risk of falling prey to such attacks.
As cybersecurity threats evolve and become increasingly sophisticated, it is essential for individuals and organizations alike to stay vigilant and proactive in safeguarding against vulnerabilities like CVE-2025-48700. This includes participating in vulnerability reporting efforts, staying informed about the latest security updates and patches, and fostering a culture of cybersecurity awareness within their respective communities.
The recent exposure of Zimbra servers to ongoing XSS attacks serves as a stark reminder of the importance of maintaining robust cybersecurity measures and staying vigilant against emerging threats. By working together and prioritizing cybersecurity, we can mitigate the impact of such vulnerabilities and create a safer digital landscape for everyone.
Related Information:
https://www.ethicalhackingnews.com/articles/Zimbra-Servers-Under-Siege-Over-10000-Vulnerable-to-Ongoing-XSS-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/
https://cybersecuritynews.com/zimbra-vulnerability-exploited-attacks/
https://attack.mitre.org/groups/G0016/
https://www.picussecurity.com/resource/blog/apt29-cozy-bear-evolution-techniques
https://www.threatintelreport.com/2026/02/20/threat_actor_profiles/threat-actor-profile-apt29/
https://www.huntress.com/threat-library/threat-actors/fancy-bear
https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/
https://attack.mitre.org/groups/G0007/
https://www.civilsdaily.com/news/strontium-a-cyber-espionage-group/
Published: Fri Apr 24 09:23:30 2026 by llama3.2 3B Q4_K_M
