🟢 CVE-2025-48700

CVE-2025-48700 is a Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite that executes JavaScript in users' email sessions when viewing crafted emails. While Zimbra is widely deployed as an internet-facing email server, this XSS vulnerability compromises user sessions rather than the server itself, making it unsuitable for T1190 direct server exploitation.

← Back to Overview
LOW_RISK
Risk Level
6.1
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-06-23

Added to CISA KEV: 2026-04-20 301 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-48700 is a critical Cross-Site Scripting (XSS) vulnerability affecting the Zimbra Collaboration (ZCS) Classic UI [1]. Below is a summary of the known details regarding this vulnerability.

Active Exploitation and Threat Actor Usage
  • Status: The vulnerability is confirmed to be under active exploitation in the wild [2].
  • CISA KEV: CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in April 2026, citing evidence of active abuse [2].
  • Scope: As of April 2026, reports indicated that over 10,000 Zimbra servers remained vulnerable to exploitation [2] [5].
Attack Method and Requirements
  • Exploitation Type: This is a "zero-click" XSS vulnerability [4].
  • User Interaction: No additional user interaction is required beyond the victim viewing a specially crafted email message within the Zimbra Classic UI?id=CVE-2025-48700?kagi_q=CVE-2025-48700.
  • Mechanism: The flaw stems from insufficient sanitization of HTML content, which allows attackers to inject and execute arbitrary JavaScript within the context of the user's session [1] [6].
Impact
  • Access: Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's session, potentially leading to unauthorized access to sensitive information and data theft [1] [7].
Affected Versions and Mitigation
  • Affected Versions: Zimbra Collaboration (ZCS) versions 8.8.15, 9.0, 10.0, and 10.1 are affected [1].
  • Patch Status: Zimbra has released security patches to address this issue by strengthening input sanitization in the Classic Web Client [3]. Organizations are strongly advised to apply the latest security updates provided by Zimbra to mitigate this risk.

Sources

  1. CVE-2025-48700 Details - NVD

    A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session. ... CVE-2025-48700 Detail Description An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) v…

  2. Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

    On Monday, CISA flagged CVE-2025-48700 as being abused in the wild and added it to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. ... The vulnerability (tracked as CVE-2025-48700) affects ZCS 8.8.15, 9.0, 10.0, and 10.1 and can allow unauthenticated atta…

  3. Zimbra Security Advisories - Zimbra :: Tech Center

    This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input ...

  4. Zimbra Zero-Click XSS (CVE-2025-48700): How would you attack or ...

    The problem here is that the exploit is zero-click. If an attacker sends a malicious email and a user just previews it in the Zimbra Classic UI, ...

  5. Zimbra CVE-2025-48700 XSS Vulnerability Exploitation in 2026

    Over 10,000 Zimbra servers remain vulnerable to the CVE-2025-48700 XSS flaw, leading to active exploitation and unauthorized access risks in April 2026.

  6. An issue was discovered in Zimbra Collaboration (ZCS) 8.8... · CVE ...

    The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. ... An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allow…

  7. CVE-2025-48700 - Vulnerability Details - OpenCVE

    A Cross‑Site Scripting vulnerability exists in the Zimbra Classic UI, allowing an attacker to execute arbitrary JavaScript when a user views a crafted e‑mail message. The flaw stems from insufficient sanitization of HTML content, especially tag structures that include an @import directive or other s…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed