Zimbra is urging customers to immediately patch a critical stored cross-site scripting (XSS) vulnerability affecting the Classic Web Client, the Ajax-based interface used to access the Zimbra Collaboration Suite (ZCS). The flaw has not yet received a CVE identifier.
Zimbra is one of the most widely deployed email and collaboration platforms, used by hundreds of millions of users, thousands of businesses, and hundreds of government agencies globally. The Classic Web Client, also known as the Classic UI, remains popular because it loads faster and uses fewer resources than Zimbra’s modern web interface, particularly when handling large mail folders.
The company shipped ZCS 10.1.19 this week to address the issue. Attackers can exploit the vulnerability through specially crafted emails that execute malicious code the moment a victim opens the message. Successful exploitation could allow threat actors to steal session tokens, account configuration data, or full mailbox contents.
“Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client,” Zimbra said in its advisory, adding that upgrading is strongly recommended to keep environments secure.
Zimbra has not confirmed active exploitation of this specific flaw. It was reported by Google’s Threat Analysis Group (TAG), which regularly identifies zero-day exploits used by state-sponsored actors against high-risk targets such as journalists, dissidents, and opposition politicians.
A recurring target for Russian state hackers
Zimbra’s webmail platform has been repeatedly targeted by Russian-linked hacking groups in recent years. In February 2023, the Winter Vivern group used a reflected XSS exploit to compromise Zimbra portals and steal emails from NATO-aligned organizations, including government officials, military personnel, and diplomats.
In October 2024, U.S. and U.K. cybersecurity agencies warned that APT29 (Midnight Blizzard, Cozy Bear), linked to Russia’s SVR, was exploiting a known Zimbra flaw at mass scale to steal credentials. More recently, in March, CISA ordered federal agencies to patch a separate Zimbra XSS bug (CVE-2025-66376) exploited by APT28-linked actors targeting Ukrainian government entities. In April, Shadowserver reported that over 10,500 internet-exposed ZCS instances remained vulnerable to attacks exploiting another XSS flaw, CVE-2025-48700.
Given this pattern of sustained targeting, security teams running Zimbra Classic Web Client should prioritize the upgrade to 10.1.19 without delay.
