Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes

Pierluigi Paganini July 10, 2026

Zimbra addressed a critical stored XSS vulnerability in its Classic Web Client that lets malicious emails execute code when opened.

Zimbra has released version 10.1.19 to fix a critical stored XSS vulnerability in its Classic Web Client, which is widely used to access Zimbra Collaboration. The flaw, which has not yet received a CVE ID, can be exploited by sending specially crafted emails that execute malicious code when opened in the Classic UI.  Successful exploitation could allow attackers to access to mailbox information, session data, or account settings.

“The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened. If exploited, it could allow access to mailbox information, session data, or account settings.” reads the advisory

“We strongly recommend all customers to upgrade to ZCS v10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements.”

Google’s Threat Analysis Group discovered the vulnerability.

Although there is no evidence of active exploitation yet, organizations using the Classic Web Client should update as soon as possible.

Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [1, 2, 3] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2025-68645 (CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
  • CVE-2020-7796 (CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
  • CVE-2025-66376 (CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.

In March, Russia-linked APT group, likely APT28  (aka UAC-0001, aka Fancy BearPawn StormSofacy GroupSednit, BlueDelta, and STRONTIUM), exploited the vulnerability CVE-2025-66376 in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stolen data via DNS and HTTPS.

A national maritime agency was targeted on January 22 using a compromised student email. Seqrite Labs tracked this campaign as Operation GhostMail.

A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate. The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).

Once opened, it executed in the user’s session, stealing credentials, tokens, emails, and 2FA data. The multi-stage payload used SOAP requests, DNS and HTTPS exfiltration, and enabled persistent access, allowing attackers to monitor accounts and extract up to 90 days of emails.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XSS)



you might also like

leave a comment