CVE-2025-48700

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS), developed and maintained by Synacor, is a widely deployed enterprise email and collaboration platform that includes webmail, calendar, contacts, file sharing, and task management. It is used by hundreds of millions of users worldwide across thousands of businesses, universities, healthcare organizations, and government agencies — including many that run their own on-premises Zimbra installations.

Zimbra is a persistent target for nation-state and cybercriminal threat actors. Its Classic UI — the HTML-based web client interface that has been part of Zimbra since early versions — has been the source of multiple XSS vulnerabilities over the years. Because email-based XSS requires only that a victim view a malicious message, Zimbra XSS flaws offer a low-friction, high-yield attack path against high-value targets.

Overview

CVE-2025-48700 is a Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI webmail client. The flaw stems from insufficient sanitization of HTML email content — specifically involving crafted tag structures and attribute values that include CSS @import directives and other script injection vectors. When a Zimbra user views a specially crafted email message in the Classic UI, arbitrary JavaScript executes within their browser session, with no additional interaction beyond opening the email.

Affected Versions

Technical Details

The vulnerability exists in the HTML rendering engine of Zimbra's Classic UI (the traditional HTML-based web client, as opposed to the modern "New Zimbra" interface). The Classic UI processes and displays HTML-formatted email messages. The sanitizer responsible for stripping dangerous HTML tags, attributes, and CSS is insufficiently robust against certain crafted inputs.

Root cause: The sanitizer fails to neutralize specific combinations of:

• CSS @import directives embedded in style attribute values — allowing loading of external stylesheets that can contain JavaScript execution triggers
• Crafted tag structures that bypass the sanitizer's parsing logic
• Other script injection vectors involving attribute values the sanitizer does not recognize as dangerous

The result is a stored XSS (or reflected XSS via email delivery): when a Zimbra Classic UI user opens the crafted email in their browser, the malicious JavaScript executes in the context of their authenticated Zimbra session.

What an attacker's JavaScript can do in a user's session:

• Read the victim's email, calendar events, and contacts
• Send emails on behalf of the victim (phishing propagation, BEC)
• Extract session cookies or tokens for account takeover
• Perform account configuration changes (forwarding rules, password changes)
• Access shared files and documents

Attack characteristics:

• Authentication required: None for attacker (just send the crafted email)
• Attack complexity: Low
• User interaction: Required — victim must view the email in the Classic UI
• Scope: Changed (JavaScript executes in the victim's browser context)

Discovery

CVE-2025-48700 was reported to Synacor and published on June 23, 2025. Zimbra released patches for all affected branches (8.8.15, 9.0, 10.0, 10.1) at the time of disclosure. CISA confirmed active exploitation and added the CVE to the KEV catalog on April 20, 2026, with an unusually short three-day remediation deadline — a strong signal that exploitation was assessed as imminent or ongoing against high-value targets.

Exploitation Context

Zimbra XSS vulnerabilities have a well-established exploitation history. Multiple prior Zimbra XSS flaws (including CVE-2023-37580 and CVE-2025-27915) have been exploited by nation-state actors — including groups targeting government agencies, military organizations, and intelligence targets — to silently steal email content, harvest credentials, and maintain persistent access to compromised accounts.

The three-day CISA deadline for CVE-2025-48700 aligns with historical CISA urgency patterns for Zimbra vulnerabilities where exploitation against government or critical infrastructure targets has been observed. SecurityWeek confirmed the Zimbra flaw was being used in active attacks alongside Cisco SD-WAN and Kentico Xperience vulnerabilities added to the KEV catalog in the same batch.

Remediation

1. Apply the Zimbra patch for your version immediately:

   • ZCS 8.8.15 → install Patch 47 or later
   • ZCS 9.0 → install Patch 43 or later
   • ZCS 10.0 → upgrade to 10.0.12 or later
   • ZCS 10.1 → upgrade to 10.1.4 or later
   • Follow Zimbra's official instructions at wiki.zimbra.com/wiki/Zimbra_Security_Advisories

2. If immediate patching is not feasible, consider temporarily disabling the Classic UI and directing users to the modern Zimbra web interface, which uses a different rendering engine. Consult your Zimbra documentation for how to enforce this.

3. Audit mail server logs for suspicious outbound email traffic or unusual access patterns that may indicate session hijacking from already-delivered exploit emails.

4. Educate users: Although they cannot protect themselves by recognizing a malicious email (the exploit requires only that the email is opened in Classic UI), users who notice unexplained account activity, forwarding rules, or sent emails they didn't author should report immediately.

5. Review email security gateway rules — consider whether inbound HTML email could be sanitized or flagged before delivery to Zimbra. This may reduce exposure while patching is planned.