Changeflow GovPing Data Privacy & Cybersecurity Zimbra CVE-2025-48700 Active Exploitation Detec...
Priority review Guidance Added Final

Zimbra CVE-2025-48700 Active Exploitation Detected by Italy CSIRT

Favicon for www.csirt.gov.it Italy CSIRT Advisories
Published
Detected
Email

Summary

CSIRT-ITA has issued Alert AL06/260422/CSIRT-ITA confirming active in-the-wild exploitation of CVE-2025-48700, a stored Cross-Site Scripting vulnerability in Zimbra Collaboration Suite with CVSS v3.x score of 7.2 (High). The flaw stems from insufficient HTML sanitization in the Classic UI email interface, allowing malicious code hidden in HTML email content to bypass security controls and execute in users' browser sessions, enabling unauthorized access to sensitive system information. Affected versions span ZCS 10.1.x, 10.0.x, 9.x, and 8.8.x branches prior to their respective latest patched releases. CSIRT-ITA recommends immediate patching to the latest available versions as the primary mitigation measure.

Published by CSIRT-ITA on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

CSIRT-ITA issued a Priority alert confirming active exploitation of CVE-2025-48700, a stored XSS vulnerability in Zimbra Collaboration Suite Classic UI, CVSS v3.x 7.2. The flaw allows malicious HTML in emails to bypass sanitization via techniques such as @import directives, enabling JavaScript execution in victim browsers and unauthorized access to session-based information. Four ZCS version branches are affected: 10.1.x prior to 10.1.4, 10.0.x prior to 10.0.12, 9.x prior to 9.0.0 Patch 43, and 8.8.x prior to 8.8.15 Patch 47.

Organizations running any affected ZCS version should treat this as an urgent patching priority given confirmed active exploitation. System administrators should verify current ZCS patch levels, apply the latest vendor patches without delay, and monitor for signs of suspicious email-based intrusions. Organizations that cannot patch immediately should consider disabling the Classic UI or implementing additional email content filtering at the perimeter.

What to do next

  1. Update ZCS to the latest available version

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Zimbra: rilevato sfruttamento in rete della CVE-2025-48700

**
Alert**

AL06/260422/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Rilevato lo sfruttamento attivo in rete della vulnerabilità CVE-2025-48700 – già sanata dal vendor – che interessa Zimbra Collaboration Suite (ZCS). Tale vulnerabilità, qualora sfruttata, potrebbe consentire ad un utente malintenzionato l’accesso ad informazioni sensibili sui sistemi interessati.

Tipologia

  • Information Disclosure

Descrizione e potenziali impatti

È stato recentemente rilevato lo sfruttamento della vulnerabilità CVE-2025-48700 – di tipo “ Cross-Site Scripting ” e con score CVSS v3.x pari a 7.2 – presente nella Classic UI di Zimbra Collaboration Suite (ZCS).

La vulnerabilità è causata da una sanitizzazione insufficiente del contenuto HTML delle e‑mail visualizzate nell’interfaccia web di ZCS. In particolare, alcune parti del codice HTML delle e‑mail non vengono filtrate correttamente, consentendo l’inserimento di codice malevolo nascosto all’interno di tag e attributi apparentemente legittimi (ad esempio tramite direttive @import). Ciò permette al codice JavaScript malevolo di eludere i controlli di sicurezza ed essere eseguito nel browser, nel contesto della sessione dell’utente vittima. Un attaccante potrebbe sfruttare tale vulnerabilità, tramite invio di e‑mail HTML opportunamente predisposte, e ottenere accesso non autorizzato a informazioni sensibili.

Prodotti e/o versioni affette

Zimbra Collaboration Suite (ZCS)

  • 10.1.x, versioni precedenti alla 10.1.4
  • 10.0.x, versioni precedenti alla 10.0.12
  • 9.x, versioni precedenti alla 9.0.0 Patch 43
  • 8.8.x, versioni precedenti alla 8.8.15 Patch 47

Azioni di Mitigazione

Ove non provveduto, si raccomanda di aggiornare i prodotti vulnerabili alle ultime versioni disponibili.

CVE (1)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2025-48700 | - | Presente |

Riferimenti (2)

  1. https://wiki.zimbra.com/wiki/Security_Center
  2. https://wiki.zimbra.com/wiki/ZimbraSecurityAdvisories

Change log

Versione Note Data
1.0 Pubblicato il 22-04-2026 22/04/2026

Impatto sistemico

Alto (70.64)

Argomenti

Data pubblicazione

22/04/26 ore 16:02

Data Ultimo Aggiornamento

22/04/26 ore 16:02

Parties

Zimbra Collaboration Suite

Related changes

Favicon for www.csirt.gov.it Apache Kafka Critical Auth Bypass Vulnerability CVE-2026-33557 Affects Versions 4.1.x
Priority review Apr 23, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Critical Spring Security Vulnerabilities Fixed, Authentication Bypass Risk
Priority review Apr 23, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity

Get daily alerts for Italy CSIRT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csirt.gov.it
Italy CSIRT Advisories csirt.gov.it/contenuti
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSIRT-ITA
Published
April 22nd, 2026
Instrument
Guidance
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Organizations using ZCS Technology companies Government agencies
Industry sector
5112 Software & Technology
Activity scope
Email server patching Vulnerability remediation Information security
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Consumer Protection

Browse Categories

Agriculture & Food Safety 79 AI Regulation 3 Banking & Finance 486 Consumer Protection 120 Courts & Legal 449 Data Privacy & Cybersecurity 137 Defense & National Security 53 Education 64 Energy 113 Environment 169 Gaming 2 Government & Legislation 474 Healthcare 15 Healthcare & Life Sciences 423 Immigration 11 Insurance 91 Labor & Employment 185 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 85 Securities & Markets 177 Tax 106 Telecom & Technology 49 Trade & Sanctions 157 Transportation 112

Get alerts for this source

We'll email you when Italy CSIRT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!