CVE-2024-27443

Zimbra ZCS — Stored XSS via X-Zimbra-Calendar-Intended-For Header, Exploited by APT28 in Operation RoundPress
⚠️ CVSS 3.1  6.1 / 10 — MEDIUM 🔴 CISA Known Exploited Vulnerability

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform used by government agencies, defence organisations, and enterprises globally. Its Classic Web Client processes not only email body HTML but also metadata headers embedded in messages — including calendar-related headers that specify how calendar invitations should be handled. CVE-2024-27443 exploits one such header: the X-Zimbra-Calendar-Intended-For field, whose value is reflected into the page without sanitization when a calendar invitation is rendered in the Classic UI.

Overview

Actively Exploited — APT28 Operation RoundPress. CVE-2024-27443 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 19, 2025. ESET Research attributed exploitation to APT28 (Sednit) — the Russian GRU unit responsible for the 2016 DNC breach — as part of a targeted campaign called Operation RoundPress, targeting government and defence webmail accounts in Eastern Europe and beyond.

CVE-2024-27443 is a stored cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra Classic Web Client. When a user views an email message containing a calendar invitation in the Classic UI, the value of the X-Zimbra-Calendar-Intended-For email header is embedded into the page without input sanitization — allowing an attacker to inject a JavaScript payload that executes within the victim's authenticated Zimbra session.

Affected Versions

Status Zimbra ZCS Version Fixed In
Vulnerable ZCS 9.0 prior to Patch 39 9.0.0 Patch 39
Vulnerable ZCS 10.0 prior to 10.0.7 10.0.7

Technical Details

The vulnerability is in the CalendarInvite feature of the Zimbra Classic Web Client. When Zimbra processes an email message containing a calendar invitation, it reads the X-Zimbra-Calendar-Intended-For header to determine calendar routing. This header value is reflected into the HTML rendered in the Classic Web Client without proper escaping.

An attacker crafts an email containing:

  1. A valid calendar invitation structure (iCalendar format)
  2. A malicious X-Zimbra-Calendar-Intended-For header value containing a JavaScript payload

When the victim opens or previews the email in the Zimbra Classic Web Client, the header value is rendered into the page, the embedded JavaScript executes in the context of the authenticated session, and the attacker gains access to the victim's email, contacts, authentication tokens, and session state.

Attack characteristics:

  • Authentication required: No — any email sender can craft the malicious message
  • User interaction: Required — victim must open or preview the calendar invitation in the Classic UI
  • Delivery: Normal email channel — indistinguishable from a legitimate calendar invitation
  • Execution context: Victim's authenticated Zimbra session

Discovery and Attribution

CVE-2024-27443 was patched by Zimbra in March 2024 (ZCS 9.0.0 Patch 39 and 10.0.7). The NVD published the CVE in August 2024. CISA added it to the KEV catalog in May 2025, over a year after the patch was available — based on evidence of active exploitation in the wild.

ESET Research published an analysis of Operation RoundPress — a campaign attributed to APT28 (also known as Sednit, Fancy Bear, and GRU Unit 26165) that exploited CVE-2024-27443 alongside other Zimbra and Roundcube webmail XSS vulnerabilities. Operation RoundPress targeted government agencies and defence organisations across Eastern Europe, consistent with APT28's longstanding focus on NATO-adjacent governments and organisations supporting Ukraine. APT28 is the same group attributed to the 2016 Democratic National Committee breach and to Operation GhostMail (CVE-2025-66376) targeting Ukrainian government webmail.

The repeated use of Zimbra XSS vulnerabilities by APT28 — exploiting CVE-2024-27443, then CVE-2025-66376 — demonstrates sustained strategic investment in webmail platform XSS as an intelligence collection mechanism.

Exploitation Context

The KEV addition in May 2025 — fourteen months after the patch was available — reflects a large pool of unpatched Zimbra instances that remained exploitable long after remediation guidance was published. APT28's Operation RoundPress specifically sought out government and defence organisations using older, unpatched Zimbra installations, consistent with the pattern across the broader Zimbra KEV cluster where nation-state actors return to the same unpatched platform after each new vulnerability disclosure.

Remediation

  1. Upgrade to ZCS 9.0.0 Patch 39 or ZCS 10.0.7 (or later) to apply the fix for CVE-2024-27443.
  2. Prioritise Classic Web Client users — identify high-value users (government officials, defence personnel, executives) still using the Classic Web Client and either enforce migration to the Modern UI or ensure they are on a patched version.
  3. Monitor for malicious calendar invitations from external senders — emails from unknown external sources containing calendar invitation attachments warrant closer inspection in environments where this CVE is a concern.
  4. Review and rotate credentials for any Zimbra accounts that may have received calendar invitations from external senders during the unpatched window, particularly for high-value targets.
  5. Consult ESET's Operation RoundPress indicators of compromise for hunting guidance relevant to APT28 exploitation of this CVE.

Key Details

PropertyValue
CVE ID CVE-2024-27443
Vendor / Product Synacor — Zimbra Collaboration Suite (ZCS)
NVD Published2024-08-12
NVD Last Modified2025-10-31
CVSS 3.1 Score6.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SeverityMEDIUM
CWE CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CISA KEV Added2025-05-19
CISA KEV Deadline2025-06-09
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-06-09. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-03-01Zimbra releases fix: ZCS 9.0.0 Patch 39 and ZCS 10.0.7
2024-08-12CVE-2024-27443 published at NVD
2025-05-19Added to CISA Known Exploited Vulnerabilities catalog; ESET Research publishes Operation RoundPress analysis documenting APT28 exploitation
2025-06-09CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2024-27443 Vulnerability Database
Zimbra Release Notes — 9.0.0 Patch 39 Vendor Advisory / Patch
Zimbra Release Notes — 10.0.7 Vendor Advisory / Patch
ESET Research — Operation RoundPress (APT28/Sednit Targeting Webmail) Security Research
CISA KEV Catalog Entry US Government
CISA BOD 22-01 Remediation Directive
CWE-79 — Cross-site Scripting Weakness Classification

Last updated: 2026-04-22

Gavin Hollinger & AI assembled this air-gap friendly HTML