Zimbra in the look of attackers: more than 10,500 exposed servers and already exploited vulnerability

More than 10,500 Zimbra instances exposed on the Internet remain vulnerable to active attacks According to the monitoring of the security NGO Shadowserver, and the affected failure (CVE-2025-48700) was already identified as being exploited in nature by the U.S. Infrastructure and Cybersecurity Agency. USA (CISA). Zimbra is a platform of mail and collaboration widely deployed in governments and companies; this combination of popularity and exposed servers makes any critical failure a high-performance target for criminal and state actors.

In technical terms, CVE-2025-48700 is a cross-site scribing (XSS) vulnerability that allows arbitrary JavaScript to run in the context of the user session when it visualizes a malicious message in the classic Zimbra interface. According to the manufacturer's notice, the operation does not require any additional user interaction to be activated, which increases its danger because a message that simply opens can allow for the theft of credentials, the abduction of sessions and the exfiltration of emails.

Synacor published patches in June 2025 for the affected versions - including ZCS 8.8.15, 9.0, 10.0 and 10.1 - and since then researchers have described campaigns that take advantage of similar failures to distribute overused JavaScript loads and steal information within vulnerable webmail sessions. You can check the public record of the failure in the NVD national vulnerability database: CVE-2025-48700 in NVD and Zimbra's own safety note and patches in the Wiki de Zimbra / Synacor: Zimbra security notices.

The risk recognition was sufficient for the CISA adds vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue and issue guidelines for federal agencies to mitigate it with priority. The addition to KEV involves accelerated remediation obligations for certain entities and, above all, serves as an indicator that exploitation is taking place in the real world: CISA entry into the KEV catalogue.

Shadowserver, which tracks exposed services, reports that most of the no-patch servers are in Asia and Europe, indicating a wide opportunity window for attackers. Historically, Zimbra failures have been used by known APTs - such as APT28 (Fancy Bear) and APT29 (Cozy Bear) - for phishing campaigns that do not depend on attachments or macros, but live entirely within the HTML of the mail and XSS to run malicious payloads when the victim opens the message.

What specific risk does this pose to your organization? A committed webmail server allows an attacker to collect incoming and outgoing emails, intercept authentication tokens, pivote to other internal systems and set up suplanting campaigns from legitimate directions. In government environments or critical infrastructure, exposure can result in loss of intelligence, filtration of sensitive data or initial access for larger attacks.

The recommended immediate action is to apply the official Zimbra patches without delay and validate the installation. If for operational reasons an immediate patch is not possible, temporary mitigation that reduce risk include restricting public access to the webmail to reliable IP ranges or VPN, implementing Web Application Firewall (WAF) rules to block suspicious payloads in the body of the emails, forcing the re-establishment of credentials and activating multifactor authentication for all web mail users. Shadowserver maintains a public panel with metrics on affected servers that can serve to prioritize detections: Shadowserver panel on CVE-2025-48700.

It is not enough to park: it is essential to detect whether there has already been a commitment. Organizations should look for abnormal access indicators in the mail and web logs, review headers and post bodies for osfuscated JavaScript patterns, audit accounts with off-schedule activity and monitor outgoing connections from mail servers. If a commitment is confirmed, the response should include containment of the affected server, forensic analysis, rotation of credentials and notification to the parties concerned and the competent authorities in accordance with applicable rules.

The recurrence of campaigns that abuse vulnerabilities in Zimbra demonstrates two realities: the critical dependence of mail as an attack vector and the slow pace with which many administrators apply updates in exposed services. IT and cybersecurity leaders should prioritize basic hygiene: fast parking, access segmentation and strong authentication because in practice these measures are those that reduce the area of attack more effectively against already automated and ongoing campaigns.

If you need official documentation to manage the patch or remediation, see the manufacturer's pages and the security agency notices to make sure you apply the correct corrections and the recommended time mitigation. The window to act is short: the exposed servers remain active targets and each day without patch increases the likelihood of intrusion.