Zimbra Emergency Patch for Critical SSRF Vulnerability in Chat Proxy Configuration
Zimbra released an emergency patch to address a critical Server-Side Request Forgery (SSRF) vulnerability affecting the chat proxy configuration in its Daffodil product. The vulnerability was identified in versions of Zimbra Daffodil prior to v10.1.12, prompting immediate action from the vendor. Security advisories highlighted the potential for attackers to exploit this flaw, which could allow unauthorized access to internal resources or sensitive information by manipulating the chat proxy configuration. The Canadian Centre for Cyber Security issued an alert (AV25-678) urging users and administrators to review the official Zimbra advisory and apply the necessary updates without delay. The emergency patch, included in Zimbra Daffodil version 10.1.12, was made available to mitigate the risk associated with this vulnerability. The flaw's critical nature raised concerns about the potential for remote exploitation, especially in environments where Zimbra's chat functionality is exposed to untrusted networks. Organizations relying on Zimbra for email and collaboration services were advised to prioritize patch deployment to prevent possible compromise. The vulnerability's disclosure and rapid patch release underscore the importance of timely vulnerability management in enterprise environments. Security experts noted that SSRF vulnerabilities can be leveraged to bypass network restrictions, access internal services, or facilitate further attacks. The Zimbra advisory provided technical details and guidance for administrators to verify successful patch application. No reports of active exploitation were mentioned at the time of the advisory, but the urgency of the patch suggests a high risk of exploitation if left unaddressed. The incident highlights the ongoing challenges faced by software vendors in securing complex collaboration platforms. Zimbra's response included not only the patch but also recommendations for monitoring and additional security best practices. The Cyber Centre's involvement reflects the vulnerability's significance for Canadian organizations and the broader global user base. Administrators were reminded to review their systems for signs of compromise and to ensure all relevant updates are applied promptly. The event serves as a reminder of the critical role of coordinated disclosure and rapid response in minimizing the impact of software vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security publishes Zimbra advisory AV25-678
The Canadian Centre for Cyber Security released advisory AV25-678 to alert organizations about the Zimbra vulnerability and associated security update. The advisory amplified official guidance for defenders to review and apply mitigations.
Zimbra releases emergency patch for critical chat proxy SSRF flaw
Zimbra issued an emergency security update to address a critical server-side request forgery vulnerability in its chat proxy configuration. The flaw was publicly documented in security advisories published the same day.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zimbra 10.1.16 Security Update Patches XSS, XXE, and Authenticated LDAP Injection
Zimbra released **version 10.1.16** with a strong recommendation that administrators upgrade immediately, citing high-severity issues and deployment risk. The update addresses multiple injection-class vulnerabilities affecting the collaboration suite, including **cross-site scripting (XSS)** in *Webmail* and *Briefcase* that could enable session hijacking and data theft via malicious script injection in a user’s browser. The release also patches an **XML External Entity (XXE)** flaw in the **EWS SOAP endpoint**, which could potentially be abused for local file disclosure, denial-of-service conditions, or **SSRF** depending on environment and parser behavior, and fixes an **authenticated LDAP injection** issue where insufficient sanitization could allow a logged-in user to manipulate LDAP queries to access or influence directory data. In addition to these targeted fixes, Zimbra reports broader hardening such as **stronger CSRF protections** through improved token validation, alongside other security-related stability adjustments.
Mar 21, 2026
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026
Zimbra Zero-Day Exploited via Malicious ICS Files Targeting Brazilian Military
A critical security vulnerability in Zimbra Collaboration Suite, tracked as CVE-2025-27915, was exploited as a zero-day in targeted cyberattacks against the Brazilian military. The flaw, a stored cross-site scripting (XSS) vulnerability in the Classic Web Client, resulted from insufficient sanitization of HTML content in ICS (iCalendar) calendar files. Attackers leveraged this vulnerability by sending malicious ICS files embedded with JavaScript code, which executed when a user viewed an email containing the crafted calendar entry. The JavaScript payload enabled arbitrary code execution within the victim's session, allowing attackers to perform unauthorized actions such as setting email filters to redirect messages to attacker-controlled addresses. This facilitated data exfiltration, including the theft of credentials, emails, contacts, and shared folders from compromised Zimbra accounts. The malicious campaign involved threat actors spoofing the Libyan Navy's Office of Protocol to deliver the exploit to Brazilian military targets. The ICS files used in the attack were notably large and contained obfuscated JavaScript, often encoded in Base64 to evade detection. The payload was designed to operate asynchronously and utilized Immediately Invoked Function Expressions (IIFEs) for execution. Researchers at StrikeReady Labs discovered the attack by monitoring for unusually large ICS attachments containing JavaScript. The campaign began at the start of January 2025, prior to Zimbra releasing patches for the vulnerability. Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025, but did not initially disclose that the vulnerability had been exploited in the wild. The attack also included mechanisms to hide certain user interface elements, further reducing the likelihood of detection by end users. The malicious script searched for emails in specific folders and added filter rules named "Correo" to forward messages to a ProtonMail address controlled by the attackers. The exfiltrated data was sent to an external server, ffrk[.]net, under the attackers' control. The exploitation of this vulnerability highlights the risks associated with insufficient input sanitization in webmail platforms and the effectiveness of social engineering tactics, such as spoofing trusted entities. The incident underscores the importance of timely patching and monitoring for anomalous file attachments in email systems. Security researchers recommend organizations using Zimbra Collaboration Suite apply the latest patches and review email filtering rules for signs of compromise. The attack demonstrates the evolving sophistication of threat actors in leveraging zero-day vulnerabilities for targeted espionage campaigns against high-value organizations.
Mar 21, 2026