Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Zero-click XSS in Zimbra Collaboration Classic UI

IdentifiersCVE-2025-48700CWE-79· Improper Neutralization of Input…

CVE-2025-48700 is a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) Classic UI affecting 8.8.15, 9.0, 10.0, and 10.1. The flaw is caused by insufficient sanitization of attacker-controlled HTML content in email messages, including crafted tag structures and attribute values using @import and related script-injection vectors. When a victim views a malicious email in the Zimbra Classic UI, arbitrary JavaScript can execute in the context of that user’s authenticated webmail session. The issue has been described as zero-click in the sense that no additional interaction beyond opening/viewing the message in Classic UI is required. Supporting content also indicates active exploitation in the wild and inclusion in CISA’s KEV catalog.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated attacker to run arbitrary JavaScript in the victim’s browser within the security context of the Zimbra webmail session. This can lead to theft of session data and sensitive mailbox information, including access to email contents and other data exposed to the authenticated user. Supporting reporting further indicates attackers have used or could use the flaw for session hijacking, credential theft, unauthorized access to sensitive information, and access to mailbox contents, TGZ correspondence archives, MFA backup codes, application passwords, and the global address book.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting access to the Zimbra Classic UI where operationally feasible, limiting external access to affected webmail instances, and monitoring for malicious HTML email content targeting Classic UI rendering. Treat suspicious inbound emails as potentially hostile active content, review logs and mailbox artifacts for signs of session hijacking or unauthorized mailbox access, and invalidate active sessions/reset exposed credentials, application passwords, and MFA recovery material if compromise is suspected. Patch remains the primary mitigation.

Remediation

Patch, then assume compromise.

Apply the vendor patches released by Synacor/Zimbra. Supporting content identifies fixed versions as 8.8.15 Patch 47, 9.0.0 Patch 43, 10.0.12, and 10.1.4. Organizations should upgrade affected ZCS deployments to the appropriate patched release and prioritize internet-exposed systems, especially because the vulnerability has been actively exploited and added to CISA’s KEV catalog.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ZimbraZimbra Collaboration Suiteapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Roundcube webmail vulnerability exploited in 2025 campaigns.

Read more
scworldNews
Apr 27, 2026
Thousands of Zimbra servers vulnerable to actively exploited flaw | brief | SC Media

An unauthenticated cross-site scripting vulnerability in Zimbra Collaboration Suite that can expose sensitive information by executing arbitrary JavaScript in a user's session when a malicious email is viewed in the Classic UI.

Read more
bleeping computerNews
Apr 24, 2026
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

A Zimbra Collaboration Suite cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's session and access sensitive information, including via malicious email viewed in the Zimbra Classic UI.

Read more
security affairsNews
Apr 21, 2026
U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog

A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite linked to exploitation campaigns delivering malicious scripts for session hijacking or credential theft.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-48700
NVD
nvd.nist.gov/vuln/detail/CVE-2025-48700
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Vendor Advisory
wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Release Notes
wiki.zimbra.com/wiki/Security_Center
Product
wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700