Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes


Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes

Pierluigi Paganini
July 10, 2026

Zimbra addressed a critical stored XSS vulnerability in its Classic Web Client that lets malicious emails execute code when opened.

Zimbra has released version 10.1.19 to fix a critical stored XSS vulnerability in its Classic Web Client, which is widely used to access Zimbra Collaboration. The flaw, which has not yet received a CVE ID, can be exploited by sending specially crafted emails that execute malicious code when opened in the Classic UI.  Successful exploitation could allow attackers to access to mailbox information, session data, or account settings.

“The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened. If exploited, it could allow access to mailbox information, session data, or account settings.” reads the advisory

“We strongly recommend all customers to upgrade to ZCS v10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements.”

Google’s Threat Analysis Group discovered the vulnerability.

Although there is no evidence of active exploitation yet, organizations using the Classic Web Client should update as soon as possible.

Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [1, 2, 3] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2025-68645 (CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
  • CVE-2020-7796 (CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
  • CVE-2025-66376 (CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.

In March, Russia-linked APT group, likely APT28  (aka UAC-0001, aka Fancy BearPawn StormSofacy GroupSednit, BlueDelta, and STRONTIUM), exploited the vulnerability CVE-2025-66376 in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stolen data via DNS and HTTPS.

A national maritime agency was targeted on January 22 using a compromised student email. Seqrite Labs tracked this campaign as Operation GhostMail.

A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate. The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).

Once opened, it executed in the user’s session, stealing credentials, tokens, emails, and 2FA data. The multi-stage payload used SOAP requests, DNS and HTTPS exfiltration, and enabled persistent access, allowing attackers to monitor accounts and extract up to 90 days of emails.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XSS)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Sixteen years ago, The Social Network turned the origin story of Facebook into one of the most acclaimed films of the century. Now, Aaron Sorkin is back, and this time he is writing and directing. Sony Pictures dropped the first full trailer for The Social Reckoning today, and it is exactly as intense as you would hope.

This is technically not a direct sequel but a companion piece, and it is focused on what happened after Facebook grew from a dorm room idea into a platform that reshaped the world, and not always for the better.

What is The Social Reckoning actually about?

The film centers on Frances Haugen, a young Facebook engineer who, in 2021, leaked a massive trove of internal company documents to the Wall Street Journal, exposing how the platform knowingly amplified harm to teenagers and allowed misinformation to spread on a global scale.

That reporting, known as The Facebook Files, blew the lid off how Facebook handled its internal research. The tagline “Every revolution begins with a reckoning” frames the entire film as something bigger than a corporate scandal story.

Mikey Madison, who won the Best Actress Oscar for Anora, plays Haugen. Jeremy Allen White plays WSJ reporter Jeff Horwitz, who helped Haugen bring those secrets to light. The supporting cast includes Wunmi Mosaku, Betty Gilpin, Billy Magnussen, and Bill Burr.

Jeremy Strong as Mark Zuckerberg is the casting decision of the year

Jesse Eisenberg, who played Zuckerberg in the original and earned an Oscar nomination for it, declined to return for The Social Reckoning. Sorkin went with Jeremy Strong, the Succession lead, who has been phenomenal at playing a complicated man on the edge. The trailer shows him absolutely nailing Zuckerberg’s flat delivery and unsettling stillness.

When Strong was asked whether he had spoken to Eisenberg about the role, his answer was blunt. It had nothing to do with what he was going to do. That confidence is all over the trailer. Strong plays Zuckerberg as a man who has fully grown into his own power, dead-eyed and precise, describing himself with a straight face as a “professional defendant” while being prepped for congressional testimony.

Strong says the script of this movie is one of the greatest he has ever read, saying it touches the third rail of everything happening in the world right now. The Social Reckoning opens in theaters on October 9, 2026.



Source link