Zimbra urges customers to apply updates
Zimbra has advised customers to install a software update after identifying a critical vulnerability affecting the Classic Web Client. According to the vendor, the flaw could allow specially crafted emails to execute malicious code in a user's session. If exploited, Zimbra warned, the issue "could allow access to mailbox information, session data, or account settings." The company has recommended upgrading to Zimbra Collaboration Suite version 10.1.19 for optimal protection. The flaw had not been assigned a CVE identifier at the time of the advisory.
Stored cross-site scripting in the Classic Web Client
Zimbra described the problem as a case of stored cross-site scripting (XSS). In general, XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to inject and execute JavaScript in victims' browsers. The vendor detailed the risks associated with such injections: session hijacking, credential theft, and account compromise.
Zimbra specifically called this a stored, or persistent, XSS: the injected script is permanently stored on the target servers—typically in a database—and then delivered to any user who opens the affected content. In this instance, the vector is an email that, when opened in the Classic Web Client, could trigger the stored script.
Past Zimbra XSS incidents and related CVEs
Zimbra acknowledged that XSS flaws have attracted attackers previously. The vendor noted attempts to weaponize XSS as far back as December 2021. Last October, a stored XSS flaw in the Classic Web Client—tracked as CVE-2025-27915 with a CVSS score of 5.4—was alleged to have been exploited as a zero-day in attacks targeting the Brazilian military; Zimbra told The Hacker News at the time that it "found no evidence to back it up." Other XSS vulnerabilities that have been exploited by threat actors include CVE-2023-37580 and CVE-2024-27443.
What this means for Zimbra administrators, enterprise IT teams, and end users
- Zimbra administrators: Apply the vendor-supplied update to 10.1.19 promptly, and confirm whether the Classic Web Client is in use within your environment—this advisory centers on that client implementation.
- Enterprise IT teams: Treat the advisory as a configuration and patch-management priority; if the vulnerability were exploited, Zimbra’s advisory says attackers could access mailbox information, session data, or account settings, so review access logs and session management controls where feasible.
- End users: Be cautious with unexpected or suspicious emails, particularly when using the Classic Web Client, since a specially crafted message is the described delivery mechanism for the flaw.
Immediate step: install Zimbra Collaboration Suite 10.1.19
Zimbra's message to customers is straightforward: update. The vendor tied the fix specifically to the Classic Web Client and recommended version 10.1.19 as the route to optimal protection. Zimbra did not say the vulnerability had been observed in active exploitation, but it flagged the high potential for abuse inherent in stored XSS flaws—an observation underscored by the product's history of XSS-related incidents.
For now, the clear next step named by Zimbra is technical: deploy the update for the Classic Web Client to remove the opportunity for a specially crafted email to execute code in a user's session. Whether a CVE will be assigned, and whether further telemetry will indicate exploitation in the wild, remains to be reported.
Original reporting: The Hacker News




