Zimbra is racing to close a dangerous hole in its email software, and users need to patch without delay. For those unfamiliar, Zimbra is a widely used email and collaboration platform, relied on by hundreds of millions of people, thousands of businesses, and hundreds of government agencies worldwide, so a single flaw can expose vast troves of sensitive communication at once. The company warned of a critical bug in its Classic Web Client that lets attackers run malicious code inside a victim’s session. Alarmingly, the trigger is simply opening a booby-trapped email.
The bug is a stored cross-site scripting flaw, or XSS, and it has not yet received a CVE tracking ID. These flaws appear when an app drops untrusted data into a web page without cleaning it first. In this case, the vulnerability lives in how the Classic Web Client renders email content. So an attacker can hide malicious JavaScript in a crafted message, and that code runs the instant the email opens. No extra clicks are needed, which makes the attack quietly effective.
Once the script fires, it can grant access to mailbox contents, session data, and account settings. From there, attackers can hijack sessions, steal credentials, and take over accounts. Worse still, because the payload is stored, it lingers in the mailbox and can fire again each time the email is viewed. Security researchers note this widens the attack window and makes stored XSS especially dangerous, since it runs inside an already-authenticated session.
The discovery carries extra weight given who found it. Google’s Threat Analysis Group reported the flaw, and that team often uncovers bugs already used by state-backed hackers. Zimbra says it has no evidence of active exploitation yet, though it has rated the patch severity as “High.” History offers little comfort here. Russian groups like Winter Vivern and APT29 have repeatedly weaponized Zimbra XSS flaws to steal emails from government, military, and diplomatic targets.
Back in February 2023, Winter Vivern used a reflected XSS exploit to breach Zimbra portals and lift emails from NATO-aligned organizations. Then in October 2024, US and UK agencies warned that APT29 was hitting vulnerable Zimbra servers “at a mass scale.” More recently, US authorities ordered federal agencies to patch a separate Zimbra flaw abused against Ukrainian targets, where attackers harvested credentials, session tokens, and 2FA codes through phishing emails.
The fix itself is straightforward, so there is no reason to wait. Zimbra released version 10.1.19, codenamed “Daffodil,” and every affected customer should upgrade immediately.
As per the company blog:
Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client.
Administrators can follow Zimbra’s official installation guide, and those who prefer can review the source through its public code repository. Since hundreds of millions of people and countless government agencies rely on Zimbra, the software stays a prized target. Patching now closes the window before attackers start hunting for unpatched servers.
