A crucial XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite characteristic is actively being exploited, probably by the Sednit hacking group. Find out how this flaw permits attackers to compromise consumer periods and why speedy patching is essential.
A brand new safety weak spot has been found within the Zimbra Collaboration Suite (ZCS), a preferred electronic mail and collaboration platform. This subject, categorised as CVE-2024-27443, is a kind of cross-site scripting (XSS) flaw that would permit attackers to steal info or take management of consumer accounts.
How the Flaw Works
The issue lies particularly throughout the CalendarInvite characteristic of Zimbra’s Basic Net Shopper interface. It occurs as a result of the system doesn’t correctly verify incoming info within the Calendar header of emails.
This oversight creates a gap for a saved XSS assault. This implies an attacker can embed dangerous code right into a specifically designed electronic mail. When a consumer opens this electronic mail utilizing the basic Zimbra interface, the malicious code runs robotically inside their net browser, giving the attacker entry to their session. The severity of this vulnerability is rated as medium, with a CVSS rating of 6.1. It impacts ZCS variations 9.0 (patches 1-38) and 10.0 (as much as 10.0.6).
Widespread Publicity and Lively Exploitation
In response to Censys, a cybersecurity insights agency, as of Thursday, Could 22, 2025, when the unique report was revealed, a big variety of Zimbra Collaboration Suite cases had been uncovered on-line that may very well be weak.
Censys noticed a complete of 129,131 probably weak ZCS cases globally, with most present in North America, Europe, and Asia. A big majority of those are hosted inside cloud providers. Moreover, 33,614 on-premises Zimbra hosts had been recognized, usually linked to shared infrastructure.
The vulnerability was formally added to CISA’s Identified Exploited Vulnerabilities (KEV) catalogue on Could 19, 2025, confirming it’s actively being utilized by attackers.
Doable Perpetrator?
Safety researchers from ESET have prompt {that a} well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), could be concerned in exploiting it. ESET’s researchers suspect that the Sednit group may very well be exploiting this flaw as half of a bigger scheme referred to as Operation RoundPress, which goals to steal login particulars and keep entry to webmail platforms. Whereas there’s at the moment no public proof-of-concept (PoC) exploit, the energetic exploitation highlights the urgency for customers to take motion.
Patching and Mitigation
The excellent news is that patches can be found for this vulnerability. Zimbra has addressed the problem in ZCS model 10.0.7 and 9.0.0 Patch 39. Customers are strongly suggested to replace their Zimbra Collaboration Suite to those patched variations instantly to guard towards potential assaults.
