Emerging ThreatsMalware & Ransomware

Zimbra Servers Targeted in Ongoing XSS Attacks

Analyst 207||Source: BleepingComputer
Laptop screen shows an open email message in a brightly-lit office setting.

"The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments," Seqrite Labs said at the time.

CVE-2025-48700: the flaw and affected Zimbra Collaboration Suite releases

Security researchers and vendors have tied ongoing attacks to a cross-site scripting bug tracked as CVE-2025-48700 that affects multiple Zimbra Collaboration Suite (ZCS) releases: 8.8.15, 9.0, 10.0, and 10.1. Synacor, the company responsible for Zimbra, released security patches to address the vulnerability in June 2025 and warned that exploits of CVE-2025-48700 require no user interaction and can be triggered when a user views a maliciously crafted email message in the Zimbra Classic UI.

Shadowserver: over 10,500 exposed Zimbra servers, concentrated in Asia and Europe

Internet security watchdog Shadowserver reported that over 10,500 Zimbra servers exposed online remain unpatched against CVE-2025-48700. Shadowserver's scan counts show the largest concentrations of exposed, unpatched servers are in Asia (3,794) and Europe (3,793).

CISA: Known Exploited Vulnerability listing and a three-day order for FCEB agencies

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48700 to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. CISA also ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Zimbra servers within three days, with a compliance date noted as April 23. CISA did not publish technical details of the CVE-2025-48700 attacks in its notice.

Operation GhostMail and a pattern of Zimbra-targeted phishing

While CISA withheld technical specifics for the current CVE-2025-48700 abuse, security firms have documented similar Zimbra-targeting campaigns. Seqrite Labs described a phishing operation it codenamed Operation GhostMail that began in January and used a different reflected XSS vulnerability (CVE-2025-66376) patched in early November. According to Seqrite Labs, that campaign was carried out by APT28 and targeted Ukrainian government entities, including the Ukrainian State Hydrology Agency — described in the reporting as a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support. The campaign delivered an obfuscated JavaScript payload when recipients opened the malicious emails in vulnerable Zimbra webmail sessions.

The reporting places Operation GhostMail in a longer sequence of Zimbra-focused intrusions: Russian Winter Vivern actors exploited a reflected XSS to breach Zimbra webmail portals in February 2023 and steal emails from NATO-aligned organizations and individuals, and U.S. and U.K. cyber agencies warned in October 2024 that APT29 had been targeting vulnerable Zimbra servers "at a mass scale" to steal email account credentials.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Synacor issued patches in June 2025; the central technical fact in the public record is that an available patch exists and that the vulnerability can be triggered by viewing a crafted message in the Classic UI. Shadowserver's scan data shows many exposed instances remain unpatched, underlining that patch deployment, network filtering, or isolating vulnerable interfaces are immediate operational actions referenced in the reporting.
  • Policymakers and federal agencies: CISA added CVE-2025-48700 to the KEV Catalog and directed FCEB agencies to remediate within three days, by April 23. That order establishes a near-term compliance timeline for civilian federal systems specifically called out in the public notice.
  • Affected enterprises and operators in Asia and Europe: Shadowserver's geographic counts place most of the currently exposed servers in Asia and Europe, a fact that businesses and public-sector operators in those regions will need to weigh when assessing exposure and prioritizing patching or mitigations.

Zimbra is described in the reporting as a popular email and collaboration suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses. That footprint, combined with a vulnerability that Synacor says needs no user interaction to exploit, is the context driving both CISA's emergency listing and Shadowserver's scans. The public record shows a patch exists but also shows a sizable number of internet-facing servers remain unpatched; whether the three-day federal directive produces measurable remediation across those exposed systems is the immediate question left by these facts.

For the original reporting, see: https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/

Emerging ThreatsSupply Chain AttacksVulnerability ExploitationCross-Site ScriptingZimbraCVE-2025-48700XSS AttacksEmail Exploits
Related Intelligence

Continue Reading

Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207
Smartphone with Signal app open on screen in a public setting.

FBI Warns of Russian Hackers Targeting Signal with Recovery Key Phishing

Beware of scammers posing as Signal support - the FBI and CISA warn that Russian hackers are using recovery key phishing to target users, so treat any in-app message from Signal support with extreme caution. Stay safe by being vigilant about unexpected messages.

Analyst 207
Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207