Zimbra XSS exploited in the wild (CVE-2025-48700)
CVE-2025-48700
Actively exploited Zimbra XSS flaw lets attackers hijack sessions via email. Update ZCS Classic UI to the latest patched version to block cookie theft and data access.
Actively exploited in the wild - CVE-2025-48700 is a medium XSS vulnerability in Zimbra Collaboration Suite 8.8.15 through 10.1 that executes arbitrary JavaScript in a victim’s session on email view, leaking session tokens and granting data access. Apply Zimbra’s latest security updates immediately.
Overview
A cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite (ZCS) Classic UI is confirmed to be actively exploited by attackers. Tracked as CVE-2025-48700, this flaw allows malicious JavaScript execution when a user views a specially crafted email, requiring no further interaction.
Vulnerability Details
The vulnerability exists in Zimbra Collaboration versions 8.8.15, 9.0, 10.0, and 10.1. It stems from insufficient sanitization of HTML content within email messages. Attackers can embed malicious scripts using crafted HTML tag structures and attributes, including the @import directive. When a recipient opens the malicious email in the Classic UI, the embedded script executes automatically within the context of the user’s Zimbra session.
Impact and Exploitation
With a CVSS score of 6.1 (Medium), successful exploitation allows an attacker to perform any action within the victim’s Zimbra session. This can lead to unauthorized access to sensitive emails, contacts, and calendar data, or the theft of session cookies to maintain persistent access. The key risk is amplified because this vulnerability is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming it is being used in real-world attacks. The EPSS score of 0.2% indicates a low probability of widespread exploitation in the next 30 days, but the confirmed active attacks make patching a priority for affected organizations.
Remediation and Mitigation
The primary action is to apply the official security updates provided by Zimbra. Administrators should upgrade affected installations to the latest patched version immediately. If immediate patching is not possible, consider temporarily disabling the Zimbra Classic UI and forcing the use of the modern Zimbra UI, which is not affected. Organizations should also remind users to be cautious with unexpected emails and monitor for suspicious activity. For more on the consequences of such breaches, review recent breach reports.
Security Insight
This incident highlights the persistent threat of client-side attacks against widely used collaboration platforms. The active exploitation of an XSS flaw in a mature product like Zimbra underscores that even well-established applications require continuous security scrutiny of their user interface components. It mirrors a broader trend where attackers increasingly target email clients and webmail interfaces as a high-value entry point into corporate networks.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a ...
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to th...
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges c...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...