10,500 Zimbra servers still exposed as CISA confirms active XSS exploitation

Shadowserver reports more than 10,500 internet-facing Zimbra Collaboration Suite instances remain unpatched against CVE-2025-48700, a zero-click XSS flaw in the Classic UI that fires the moment a crafted email is viewed. Synacor shipped fixes in June 2025, but exposure is concentrated in Asia (3,794) and Europe (3,793), leaving a large attack surface across government and enterprise deployments that rely on Zimbra for email.

CISA added the bug to its Known Exploited Vulnerabilities catalog this week and gave federal civilian agencies a three-day window, expiring April 23, to remediate. The agency did not attribute the in-the-wild activity, but Zimbra XSS chains have a long exploitation history: APT28 weaponized the related CVE-2025-66376 against Ukrainian government and hydrology targets in an email-body-only attack dubbed Operation GhostMail, and APT29 and Winter Vivern previously ran mass-scale credential and mailbox theft campaigns against the same platform.

The pattern is consistent — Zimbra’s webmail rendering path keeps producing unauthenticated, zero-interaction XSS primitives that state-aligned operators convert into espionage tooling within months of disclosure. Defenders running 8.8.15, 9.0, 10.0, or 10.1 should treat patch latency as equivalent to mailbox compromise risk.