Skip to main content
CybersecurityVulnerability Management

Zimbra Warns of Exploited Web Client Flaw

Cluttered office desk with laptop and papers, surrounded by cubicles and natural light.

"Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client," Zimbra warned. "We strongly recommend upgrading to this version to keep your environment secure."

Zimbra Classic Web Client and ZCS v10.1.19

Zimbra's security team released Zimbra 10.1.19 this Tuesday to patch a critical stored cross-site scripting (XSS) vulnerability that affects the Classic Web Client — the Ajax-based interface used to access the Zimbra Collaboration Suite. The Classic UI is widely deployed: Zimbra is used by hundreds of millions of people, thousands of businesses, and hundreds of government agencies worldwide. Zimbra noted the Classic Web Client is faster than its modern web client when loading large email folders, and the new build targets only users of that Classic interface.

How the vulnerability works and what it can expose

The flaw is a stored XSS in the Classic Web Client that attackers can trigger through specially crafted emails, according to Zimbra. When a vulnerable user opens such an email, malicious script can execute inside the browser. Successful exploitation could enable attackers to steal session data, account settings, or mailbox information. The vulnerability "has yet to receive a CVE ID for easy tracking," Zimbra said, and the company has not labeled it as exploited in the wild.

Google's Threat Analysis Group flagged the issue

Zimbra reported that Google's Threat Analysis Group (TAG) disclosed the bug. The source material notes TAG "frequently flags zero-day exploits deployed by state-backed hacking groups in cyberattacks targeting high-risk individuals, including opposition politicians, dissidents, and journalists." Zimbra's advisory therefore links the technical defect to a higher-risk investigative context, prompting the company to urge immediate upgrades to ZCS v10.1.19 for environments still running the Classic Web Client.

Context: repeated targeting of Zimbra by Russian-linked groups

Zimbra security issues have been exploited repeatedly by Russian state-sponsored actors to compromise large numbers of vulnerable servers, the record in the source shows. The Winter Vivern group used a reflected XSS exploit in February 2023 to breach Zimbra webmail portals and steal emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats. In October 2024, U.S. and U.K. cyber agencies warned that APT29 (also called Midnight Blizzard and Cozy Bear), linked to Russia's Foreign Intelligence Service (SVR), was targeting vulnerable Zimbra servers "at a mass scale" with an exploit previously abused to steal email account credentials. In March, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another Zimbra XSS flaw (CVE-2025-66376) that attackers linked to APT28 used in operations against Ukrainian government entities. And in April, Shadowserver warned more than 10,500 Zimbra Collaboration Suite instances exposed online remained vulnerable to attacks exploiting CVE-2025-48700.

What this means for technologists, federal agencies, and enterprises

  • Technologists and security teams: prioritize installing ZCS v10.1.19 if you run the Classic Web Client; the advisory is explicit that the issue "only impacts the users of Classic Web Client." Expect to focus on email gateway filters and browser-session monitoring for indicators of XSS exploitation while patches are deployed.
  • Federal agencies and policymakers: the pattern of prior CISA directives and public warnings by U.S. and U.K. cyber agencies underscores the operational precedent for fast, coordinated patching programs. Agencies previously were ordered to patch CVE-2025-66376 in March; this advisory will likely trigger similar urgency for affected bureaucracies.
  • Affected enterprises and public-sector organizations: organizations that host Zimbra instances or provide hosted mail services should inventory exposed ZCS instances and apply ZCS v10.1.19 immediately, especially given Shadowserver's April finding that thousands of instances remain exposed online.

Zimbra's guidance is unambiguous: upgrade the Classic Web Client to ZCS v10.1.19 as soon as possible. The technical fix is straightforward; the strategic complication is the environment — a large, widely deployed collaboration suite with known precedent for mass exploitation by state-linked actors. Whether operators will patch fast enough to stay ahead of opportunistic or targeted attackers remains the immediate operational question.

Source: https://www.bleepingcomputer.com/news/security/zimbra-urges-customers-to-patch-critical-web-client-xss-flaw/