Zimbra urges customers to patch critical web client XSS flaw

The Zimbra security team urged customers to patch a critical vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite.

Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people, including thousands of businesses and hundreds of government agencies worldwide. Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra’s modern web client, which requires more resources when loading large email folders.

The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking. Attackers can exploit this Classic Web Client security issue through specially crafted emails that execute malicious code when the email is opened.

Successful exploitation could help threat actors steal session data, account settings, or mailbox information.

“Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client,” Zimbra warned. “We strongly recommend upgrading to this version to keep your environment secure.”

While Zimbra has not yet tagged this vulnerability as exploited in the wild, the flaw was reported by Google’s Threat Analysis Group, which frequently flags zero-day exploits deployed by state-backed hacking groups in cyberattacks targeting high-risk individuals, including opposition politicians, dissidents, and journalists.

Zimbra security issues have been frequently exploited in attacks by Russian state-sponsored hackers in recent years to compromise thousands of vulnerable servers.

For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit to breach Zimbra webmail portals in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats.

In October 2024, U.S. and U.K. cyber agencies have also warned that APT29 (also known as Midnight Blizzard and Cozy Bear) hackers working for Russia’s Foreign Intelligence Service (SVR) were targeting vulnerable Zimbra servers”at a mass scale” using an exploit that targeted a flaw previously abused to steal email account credentials.

More recently, in March, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another Zimbra XSS flaw (CVE-2025-66376) exploited by hackers linked to the APT28 group (linked to Russia’s military intelligence service) in attacks targeting Ukrainian government entities.

In April, nonprofit security organization Shadowserver warned that over 10,500 Zimbra Collaboration Suite (ZCS) instances exposed online were still vulnerable to ongoing attacks exploiting another cross-site scripting (XSS) security flaw (tracked as CVE-2025-48700).

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Google: Hackers exploited Zimbra zero-day in attacks on govt orgs

Hackers exploit Roundcube flaw to spy on academic researchers

Over 900 Oracle E-Business instances exposed to ongoing attacks

Microsoft patches Exchange Server zero-day exploited in attacks

Hidden backdoor in Tenda router firmware grants admin access

Accenture confirms breach after hacker offers stolen data for sale

Police arrests 5,800 suspects in global anti-fraud crackdown

BeyondTrust warns of critical flaws in remote access software

Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.

Software is moving at the speed of thought. Is your security keeping up?

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure

Read our posting guidelinese to learn what content is prohibited.