Over 10,000 Zimbra Collaboration Suite instances remain exposed and vulnerable to active exploitation of a cross-site scripting flaw tracked as CVE-2025-48700, Shadowserver warns. CISA has added the vulnerability to its KEV catalog and ordered federal agencies to patch while past XSS exploits by APT28 and APT29 show the issue is being abused in targeted phishing and mass intrusions. #Zimbra #CVE-2025-48700 #Shadowserver #CISA #APT28 #APT29
Keypoints
- Shadowserver reports over 10,500 unpatched Zimbra servers exposed online.
- CVE-2025-48700 is a cross-site scripting flaw that allows unauthenticated attackers to execute JavaScript and steal sensitive data.
- Synacor released patches in June 2025, but most exposed instances—especially in Asia and Europe—remain unpatched.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate within three days.
- State-backed actors such as APT28 and APT29 have previously exploited Zimbra XSS bugs in phishing campaigns and large-scale espionage.