Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 26, 2026 · 5 min read

Opening an Email on 10,000 Zimbra Servers Runs an Attacker's Code—CISA Gave Agencies Three Days to Patch

A stored XSS flaw in Zimbra's Classic Web Client lets attackers hijack sessions by sending a single crafted email. Patches have existed for ten months, yet thousands of servers remain exposed.

Server room with rows of email servers and a red alert warning on one screen

The Vulnerability: CVE-2025-48700

A stored cross site scripting flaw in the Zimbra Collaboration Suite Classic Web Client allows unauthenticated attackers to execute arbitrary JavaScript inside any user's browser session. The victim does not need to click a link or download an attachment. Simply viewing a crafted email in Zimbra's Classic UI is enough.

The vulnerability, tracked as CVE-2025-48700, carries a CVSS score of 6.1 (medium severity). It affects Zimbra versions 8.8.15, 9.0, 10.0, and 10.1. Synacor released patches in June 2025, meaning vulnerable servers have had ten months to update and have not.

How the Attack Works

The flaw exists because Zimbra's Classic UI does not properly sanitize HTML content in incoming emails. Attackers embed obfuscated JavaScript payloads using crafted tag structures and CSS @import directives that bypass Zimbra's input filters.

When a user opens the malicious email, the payload fires inside their authenticated session. From there, the attacker can:

  • Read and exfiltrate emails, contacts, and calendar data
  • Send emails on behalf of the victim
  • Hijack the session token and maintain persistent access
  • Pivot to other accounts if the compromised user has administrative privileges

This is not a theoretical risk. CISA confirmed active exploitation in the wild when it added the flaw to its Known Exploited Vulnerabilities catalog on April 20, 2026, and ordered all federal civilian agencies to patch within three days.

10,500 Servers Still Exposed

According to Shadowserver, a nonprofit security organization that tracks internet facing vulnerabilities, more than 10,500 Zimbra servers remain unpatched and publicly accessible. The geographic breakdown tells a clear story:

  • Asia: 3,794 servers
  • Europe: 3,793 servers
  • Remaining: distributed across the Americas, Africa, and Oceania

Each of these servers handles email for organizations ranging from universities and small businesses to government agencies. Every user who opens a malicious email on one of these servers is a potential entry point.

Zimbra Has Been Here Before

This is not the first time Zimbra's email platform has been weaponized through an XSS vulnerability. In March 2026, a related flaw (CVE-2025-66376) was found being exploited by Russia's APT28 in Operation GhostMail, targeting Ukrainian government officials' email accounts using CSS @import directives embedded in HTML email content. That attack required nothing more than viewing the message.

The pattern is consistent: Zimbra's Classic Web Client parses rich HTML email content in the browser, and each sanitization bypass becomes an entry point. Organizations running Zimbra should treat any unpatched instance as already compromised.

Why Email Clients Are a Prime Target

Web based email clients render HTML content directly in the browser, creating a fundamental tension between functionality and security. Features like rich text formatting, embedded images, and CSS styling give attackers a wide surface area to work with. Zimbra's Classic UI is a textbook example: it prioritizes rendering fidelity over strict input sanitization.

The risk is not limited to Zimbra. Any web based email client that processes untrusted HTML in an authenticated session faces the same class of vulnerability. The difference is whether the vendor treats email rendering as a security boundary.

What You Should Do

If your organization runs Zimbra Collaboration Suite:

  • Patch immediately. Upgrade to Zimbra 10.1.13 (current branch) or 10.0.18 (legacy). Patches have been available since June 2025.
  • Switch to the Modern Web Client. The vulnerability specifically targets the Classic UI. Migrating to Zimbra's Modern Web Client removes this attack surface.
  • Review server logs. Look for anomalous JavaScript execution patterns, unexpected email forwarding rules, or session hijacking indicators in your Zimbra audit logs.
  • Assume breach if unpatched. Ten months of active exploitation means that if your server was exposed, it may already have been targeted. Conduct a full incident response review.

The Bigger Picture

The fact that over 10,000 email servers remain unpatched ten months after a fix was released is not just a technical failure. It represents a systemic gap in how organizations manage their email infrastructure. Email is the most targeted communication channel in enterprise environments, and the servers that process it are high value targets for state sponsored groups and cybercriminals alike.

CISA's three day patch deadline for federal agencies underscores the urgency. For everyone else, the deadline was ten months ago.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.