Google TAG Finds Critical Stored XSS in Zimbra Classic Web Client

Google's Threat Analysis Group found a critical stored XSS flaw in the Zimbra Classic Web Client that allows mailbox takeover via a single crafted email.
Table of Contents
    Add a header to begin generating the table of contents

    Google’s Threat Analysis Group discovered and reported a critical stored cross-site scripting vulnerability in the Zimbra Classic Web Client that allows an attacker to execute malicious code in a victim’s browser simply by sending a specially crafted email. Zimbra released a patch in version 10.1.19 and urged immediate upgrades, citing the vulnerability’s potential to expose mailbox contents, session tokens, and account settings — and noting that prior Zimbra vulnerabilities have been exploited by Russian APT groups targeting government and enterprise email infrastructure.

    The Zimbra Classic Web Client XSS: Crafted Email Triggers In-Browser Code Execution

    The vulnerability is a stored cross-site scripting flaw — a class of injection where malicious script is written to a server and then executed in the browsers of users who access the affected content. In this case, the attack vector is email: an attacker sends a specially crafted message to a victim who uses Zimbra’s Classic Web Client interface. When the victim opens the email in that interface, the malicious code embedded in the message executes within the victim’s active browser session.

    How the Zimbra Classic Web Client XSS Delivers Attacker Code via a Crafted Email

    No user interaction beyond opening the email is required to trigger code execution. The Classic Web Client renders the malicious content without stripping or escaping the attacker-controlled script, allowing arbitrary JavaScript to run in the context of the victim’s authenticated Zimbra session. The attack does not require the victim to click a link, download an attachment, or take any action beyond reading their email in the Classic UI. Delivery is therefore indistinguishable from receiving legitimate correspondence, and the attack completes silently during normal email access.

    No CVE identifier had been assigned to this vulnerability at the time of publication.

    Mailbox Contents, Session Tokens, and Account Settings at Risk in Pre-10.1.19 Versions

    Data accessible through the victim’s Zimbra session is at risk once code executes: mailbox contents including emails, attachments, and contacts; session tokens that allow the attacker to maintain access or pivot to other authenticated services; and account settings including forwarding rules and delegation configurations that an attacker could modify to maintain persistent access after the initial session ends. An attacker who captures a session token via XSS does not need the victim’s password; they can use the token directly to authenticate as the victim from a different machine. Affected versions are all Zimbra Collaboration Suite releases prior to 10.1.19.

    Google TAG’s Involvement and Zimbra’s History of APT Exploitation

    Google’s Threat Analysis Group focuses on identifying and disrupting government-backed threat actors and high-severity vulnerabilities with state-level exploitation potential. TAG’s discovery and reporting of this vulnerability signals that the team assessed the flaw as posing elevated risk beyond typical vulnerability research — consistent with the group’s mandate to prioritize threats associated with state-sponsored attackers.

    Prior Zimbra CVEs Exploited by APT Groups Targeting Government Email Infrastructure

    Zimbra has a documented history of prior vulnerabilities being exploited in real-world campaigns. CVE-2025-66376, CVE-2025-68645, and CVE-2020-7796 have been attributed to Russian APT groups targeting Ukrainian government organizations in campaigns that used email vulnerabilities to access sensitive communications. This history makes the newly patched XSS flaw a high-priority remediation target for government agencies and enterprises in regions associated with Russian-backed cyber operations — including NATO member states and countries in Eastern Europe — where Zimbra installations are common in government and enterprise email infrastructure.

    Zimbra strongly urged immediate patching at the time of the 10.1.19 release. The company stated no active exploitation of this specific vulnerability had been documented at the time of publication, but the combination of Google TAG’s involvement and Zimbra’s prior exploitation history makes the discovery window between vulnerability existence and active exploitation a critical interval for defenders.

    Urgency for Organizations Running the Classic Web Client

    Not all Zimbra users access email through the Classic Web Client — newer interface versions exist — but organizations that have not transitioned away from the Classic UI and are running any version before 10.1.19 remain exposed. The attack requires no special access, no previously compromised credential, and no network positioning beyond the ability to send email to a target. Any external party who knows a victim’s Zimbra email address can initiate the attack by composing and sending the crafted email.

    Upgrading to version 10.1.19 is the only complete remediation. Organizations that cannot immediately upgrade should assess whether the Classic Web Client can be disabled for users pending the patch deployment, reducing the exposed attack surface while the upgrade is planned.

    Related Posts