# Critical XSS Vulnerability Exposes Over 10,000 Zimbra Servers to Active Exploitation  According to **Shadowserver**, a nonprofit security organization, over 10,000 **Zimbra Collaboration Suite (ZCS)** instances accessible online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw. **Zimbra** is a widely used email and collaboration software suite employed by hundreds of millions of users globally, including government agencies and businesses. ## CVE-2025-48700: The Vulnerability The vulnerability, tracked as **CVE-2025-48700**, affects **ZCS** versions 8.8.15, 9.0, 10.0, and 10.1. It allows unauthenticated attackers to access sensitive information by executing arbitrary JavaScript within the user's session. Exploitation requires no user interaction and can be triggered when a user views a maliciously crafted email in the Zimbra Classic UI. **Synacor** released security patches for this flaw in June 2025. ## CISA Adds CVE-2025-48700 to KEV Catalog On Monday, the **Cybersecurity and Infrastructure Security Agency (CISA)** flagged **CVE-2025-48700** as being actively exploited in the wild and added it to their [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700). **CISA** ordered Federal Civilian Executive Branch (FCEB) agencies to patch their **Zimbra** servers within three days, by April 23. ## Unpatched Servers Remain Exposed As of Friday, **Shadowserver** reported that over 10,500 **Zimbra** servers remain unpatched, primarily located in Asia (3,794) and Europe (3,793).  *Unpatched Zimbra servers exposed online (Shadowserver)* ## APT28 Exploitation and Historical Attacks While **CISA** has not released specific details about the **CVE-2025-48700** attacks, another XSS vulnerability, **CVE-2025-66376**, was exploited by the state-sponsored **APT28** (aka Fancy Bear, Strontium) in phishing attacks targeting Ukrainian government entities starting in January. This campaign, dubbed Operation GhostMail by **Seqrite Labs**, involved delivering obfuscated JavaScript payloads via malicious emails. **Zimbra** flaws have been frequently targeted in recent years. In February 2023, the Russian Winter Vivern cyberespionage group exploited a reflected XSS vulnerability to breach **Zimbra** webmail portals and steal emails from NATO-aligned organizations. More recently, in October 2024, U.S. and U.K. cyber agencies warned that **APT29** (aka Cozy Bear, Midnight Blizzard) was targeting vulnerable **Zimbra** servers to steal email account credentials.