Zimbra Urges Immediate Patch for Critical Classic Web Client Vulnerability
Zimbra has released an urgent patch, version 10.1.19, to address a critical stored cross-site scripting (XSS) vulnerability affecting its popular Classic Web Client. This flaw, reported by **Google's Threat Analysis Group**, could allow attackers to execute malicious code via specially crafted emails, potentially leading to the theft of sensitive user data. The vulnerability, currently without a **CVE ID**, highlights ongoing security challenges for the widely used email and collaboration suite.

The **Zimbra** security team has issued a critical alert, urging customers to update their **Zimbra Collaboration** suite to version 10.1.19 immediately. The patch addresses a significant stored cross-site scripting (XSS) vulnerability found in the **Classic Web Client**, a popular, Ajax-based webmail interface known for its speed.
### The Vulnerability Explained
This newly identified security flaw, which currently lacks a **CVE ID**, can be exploited when a user opens a specially crafted email. Successful exploitation could enable threat actors to steal session data, account settings, or sensitive mailbox information.
"Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client," **Zimbra** stated in its advisory. "We strongly recommend upgrading to this version to keep your environment secure."
### Google's TAG Report and State-Backed Threats
While **Zimbra** has not confirmed in-the-wild exploitation of this specific vulnerability, its discovery by **Google's Threat Analysis Group (TAG)** raises concerns. **TAG** is renowned for flagging zero-day exploits often deployed by state-backed hacking groups targeting high-risk individuals, including politicians, dissidents, and journalists.
### A History of Exploitation by Russian APTs
**Zimbra** security issues have frequently been a target for Russian state-sponsored hacking groups. In recent years, several Advanced Persistent Threat (APT) groups have leveraged vulnerabilities within the **Zimbra** platform:
* **Winter Vivern**: In February 2023, this Russian-sponsored group exploited a reflected XSS flaw to breach **Zimbra** webmail portals, stealing emails from **NATO**-aligned organizations.
* **APT29 (Midnight Blizzard/Cozy Bear)**: In October 2024, U.S. and U.K. cyber agencies warned that this group, linked to Russia's Foreign Intelligence Service (SVR), was broadly targeting vulnerable **Zimbra** servers using an exploit previously known for stealing email credentials.
* **APT28**: In March, the **Cybersecurity and Infrastructure Security Agency (CISA)** ordered federal agencies to patch another **Zimbra** XSS flaw (**CVE-2025-66376**) that **APT28** (linked to Russia's military intelligence service) had exploited in attacks against Ukrainian government entities.
More recently, in April, the **Shadowserver** Foundation reported that over 10,500 **Zimbra Collaboration Suite (ZCS)** instances remained vulnerable online to attacks exploiting another XSS flaw (**CVE-2025-48700**).
Given the persistent targeting of **Zimbra** by sophisticated threat actors, immediate patching is crucial for all organizations utilizing the **Classic Web Client**.