Back to Feed
VulnerabilitiesJul 10, 2026

Zimbra urges customers to patch critical web client XSS flaw

Zimbra urges patching of critical XSS flaw in Classic Web Client.

Summary

Zimbra has released version 10.1.19 to address a critical stored cross-site scripting (XSS) vulnerability in its Classic Web Client. This flaw, reported by Google's Threat Analysis Group, can be exploited via specially crafted emails to steal session data and mailbox information. While not yet confirmed as exploited in the wild, Zimbra servers have been a frequent target for Russian state-sponsored hacking groups.

Full text

Zimbra urges customers to patch critical web client XSS flaw By Sergiu Gatlan July 10, 2026 07:47 AM 0 The Zimbra security team urged customers to patch a critical vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite. Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people, including thousands of businesses and hundreds of government agencies worldwide. Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra's modern web client, which requires more resources when loading large email folders. The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking. Attackers can exploit this Classic Web Client security issue through specially crafted emails that execute malicious code when the email is opened. Successful exploitation could help threat actors steal session data, account settings, or mailbox information. "Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client," Zimbra warned. "We strongly recommend upgrading to this version to keep your environment secure." While Zimbra has not yet tagged this vulnerability as exploited in the wild, the flaw was reported by Google's Threat Analysis Group, which frequently flags zero-day exploits deployed by state-backed hacking groups in cyberattacks targeting high-risk individuals, including opposition politicians, dissidents, and journalists. Targeting by Russian state hackers Zimbra security issues have been frequently exploited in attacks by Russian state-sponsored hackers in recent years to compromise thousands of vulnerable servers. For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit to breach Zimbra webmail portals in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats. In October 2024, U.S. and U.K. cyber agencies have also warned that APT29 (also known as Midnight Blizzard and Cozy Bear) hackers working for Russia's Foreign Intelligence Service (SVR) were targeting vulnerable Zimbra servers"at a mass scale" using an exploit that targeted a flaw previously abused to steal email account credentials. More recently, in March, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another Zimbra XSS flaw (CVE-2025-66376) exploited by hackers linked to the APT28 group (linked to Russia's military intelligence service) in attacks targeting Ukrainian government entities. In April, nonprofit security organization Shadowserver warned that over 10,500 Zimbra Collaboration Suite (ZCS) instances exposed online were still vulnerable to ongoing attacks exploiting another cross-site scripting (XSS) security flaw (tracked as CVE-2025-48700). Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Google: Hackers exploited Zimbra zero-day in attacks on govt orgsHackers exploit Roundcube flaw to spy on academic researchersOver 900 Oracle E-Business instances exposed to ongoing attacksMicrosoft patches Exchange Server zero-day exploited in attacksHidden backdoor in Tenda router firmware grants admin access

Indicators of Compromise

  • cve — CVE-2025-66376
  • cve — CVE-2025-48700

Entities

Zimbra Collaboration suite (product)Classic Web Client (product)Zimbra (vendor)Winter Vivern (threat_actor)APT29 (threat_actor)Midnight Blizzard (threat_actor)