Over 10,500 Zimbra servers still vulnerable to actively-exploited XSS as CISA gives federal agencies just three days to patch (CVE-2025-48700)

Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.

Check

If you run Zimbra anywhere - including subsidiaries, acquired companies, and overseas regional offices - confirm patch status against CVE-2025-48700 today.

Affected

Zimbra Collaboration Suite 8.8.15, 9.0, 10.0, and 10.1 without the June 2025 security patches. Exploitation requires a user to view a crafted email in the Classic UI; servers using only the Modern UI are not exposed via this specific flaw, but related issues are addressed by the same patch. CVSS 6.1.

Fix

Apply the June 2025 patches across all instances. Where immediate patching is impossible, switch users to the Modern UI as a stopgap and remove webmail from direct internet exposure. Audit the past 60 days of mailbox audit logs for unusual TGZ archive creation, MFA backup-code retrieval, application-password generation, and bulk address-book access. Rotate application passwords issued during the vulnerable window.