News

Critical Zimbra Flaw Could Allow Arbitrary Code Execution via Crafted Emails

Zimbra warns of a critical stored XSS vulnerability in its Classic Web Client that could lead to arbitrary code execution through crafted emails.

A newly disclosed vulnerability in Zimbra's Classic Web Client allows attackers to execute malicious scripts via crafted emails, potentially compromising mailbox data and user sessions. Users are urged to update to version 10.1.19 for protection.

Critical Zimbra Flaw Could Allow Arbitrary Code Execution via Crafted Emails

Zimbra has issued an urgent advisory for customers to apply updates to address a critical security vulnerability in its Classic Web Client. The flaw, described as a stored cross-site scripting (XSS) vulnerability, could allow specially crafted emails to execute malicious scripts within a user's session, potentially leading to arbitrary code execution.

Vulnerability Details

The vulnerability, which has not yet been assigned a CVE identifier, enables attackers to inject malicious JavaScript into victims' browsers. This can result in session hijacking, credential theft, and unauthorized access to mailbox information, session data, or account settings. Stored XSS vulnerabilities are particularly dangerous because the malicious script is permanently stored on the target server, compromising any user who views the affected page.

Historical Context and Risks

While Zimbra has not confirmed any active exploitation of this vulnerability, XSS flaws in Zimbra have been a recurring issue. In December 2021, threat actors were observed attempting to weaponize similar vulnerabilities. Last October, a stored XSS flaw (CVE-2025-27915) was alleged to have been exploited in attacks targeting the Brazilian military, though Zimbra found no evidence to support the claim. Other exploited XSS flaws include CVE-2023-37580 and CVE-2024-27443.

Given the high potential for abuse, Zimbra strongly recommends users update to Zimbra Collaboration Suite version 10.1.19 to mitigate the risk. Failure to apply the update could leave users vulnerable to serious security threats.

Conclusion

The disclosure of this vulnerability highlights the ongoing challenges of securing web applications against XSS attacks. Users are advised to prioritize updates and maintain vigilance to protect against emerging threats.