Zimbra 10.1.16 Security Update Patches XSS, XXE, and Authenticated LDAP Injection
Zimbra released version 10.1.16 with a strong recommendation that administrators upgrade immediately, citing high-severity issues and deployment risk. The update addresses multiple injection-class vulnerabilities affecting the collaboration suite, including cross-site scripting (XSS) in Webmail and Briefcase that could enable session hijacking and data theft via malicious script injection in a user’s browser.
The release also patches an XML External Entity (XXE) flaw in the EWS SOAP endpoint, which could potentially be abused for local file disclosure, denial-of-service conditions, or SSRF depending on environment and parser behavior, and fixes an authenticated LDAP injection issue where insufficient sanitization could allow a logged-in user to manipulate LDAP queries to access or influence directory data. In addition to these targeted fixes, Zimbra reports broader hardening such as stronger CSRF protections through improved token validation, alongside other security-related stability adjustments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Zimbra 10.1.16 fixes XSS, XXE, LDAP injection, and CSRF issues
The 10.1.16 release patched multiple security flaws, including XSS in Webmail and Briefcase, an XXE issue in the EWS SOAP endpoint, and an authenticated LDAP injection vulnerability. It also strengthened CSRF protections through improved token validation and included related hardening changes.
Zimbra releases version 10.1.16 security update
On February 4, 2026, Zimbra released Zimbra Collaboration 10.1.16 and urged administrators to upgrade promptly. The update was described as a significant or high-severity release with high deployment risk.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zimbra Emergency Patch for Critical SSRF Vulnerability in Chat Proxy Configuration
Zimbra released an emergency patch to address a critical Server-Side Request Forgery (SSRF) vulnerability affecting the chat proxy configuration in its Daffodil product. The vulnerability was identified in versions of Zimbra Daffodil prior to v10.1.12, prompting immediate action from the vendor. Security advisories highlighted the potential for attackers to exploit this flaw, which could allow unauthorized access to internal resources or sensitive information by manipulating the chat proxy configuration. The Canadian Centre for Cyber Security issued an alert (AV25-678) urging users and administrators to review the official Zimbra advisory and apply the necessary updates without delay. The emergency patch, included in Zimbra Daffodil version 10.1.12, was made available to mitigate the risk associated with this vulnerability. The flaw's critical nature raised concerns about the potential for remote exploitation, especially in environments where Zimbra's chat functionality is exposed to untrusted networks. Organizations relying on Zimbra for email and collaboration services were advised to prioritize patch deployment to prevent possible compromise. The vulnerability's disclosure and rapid patch release underscore the importance of timely vulnerability management in enterprise environments. Security experts noted that SSRF vulnerabilities can be leveraged to bypass network restrictions, access internal services, or facilitate further attacks. The Zimbra advisory provided technical details and guidance for administrators to verify successful patch application. No reports of active exploitation were mentioned at the time of the advisory, but the urgency of the patch suggests a high risk of exploitation if left unaddressed. The incident highlights the ongoing challenges faced by software vendors in securing complex collaboration platforms. Zimbra's response included not only the patch but also recommendations for monitoring and additional security best practices. The Cyber Centre's involvement reflects the vulnerability's significance for Canadian organizations and the broader global user base. Administrators were reminded to review their systems for signs of compromise and to ensure all relevant updates are applied promptly. The event serves as a reminder of the critical role of coordinated disclosure and rapid response in minimizing the impact of software vulnerabilities.
Mar 21, 2026
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026
Zimbra Webmail Classic UI Local File Inclusion Vulnerability
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of *Zimbra Collaboration Suite* (ZCS) versions 10.0 and 10.1. The flaw, tracked as `CVE-2025-68645`, arises from improper handling of user-supplied request parameters in the `RestFilter` servlet, allowing unauthenticated remote attackers to craft requests to the `/h/rest` endpoint and include arbitrary files from the WebRoot directory. This vulnerability exposes internal files to attackers, potentially leading to the disclosure of sensitive information and further compromise of affected Zimbra installations. Security researchers have highlighted the risk that this LFI vulnerability poses, as it can be exploited without authentication and may serve as a stepping stone for more advanced attacks. Organizations using Zimbra Collaboration Suite are urged to review their deployments and apply any available patches or mitigations to prevent exploitation. The vulnerability has been assigned a CVSS 3.1 score of 8.8, reflecting its high impact and ease of exploitation.
Mar 21, 2026