A essential XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite function is actively being exploited, probably by the Sednit hacking group. Find out how this flaw permits attackers to compromise consumer classes and why instant patching is essential.
A brand new safety weak point has been found within the Zimbra Collaboration Suite (ZCS), a preferred e mail and collaboration platform. This difficulty, categorized as CVE-2024-27443, is a sort of cross-site scripting (XSS) flaw that would permit attackers to steal info or take management of consumer accounts.
How the Flaw Works
The issue lies particularly throughout the CalendarInvite function of Zimbra’s Traditional Net Consumer interface. It occurs as a result of the system doesn’t correctly verify incoming info within the Calendar header of emails.
This oversight creates a gap for a saved XSS assault. This implies an attacker can embed dangerous code right into a specifically designed e mail. When a consumer opens this e mail utilizing the basic Zimbra interface, the malicious code runs mechanically inside their internet browser, giving the attacker entry to their session. The severity of this vulnerability is rated as medium, with a CVSS rating of 6.1. It impacts ZCS variations 9.0 (patches 1-38) and 10.0 (as much as 10.0.6).
Widespread Publicity and Lively Exploitation
In accordance with Censys, a cybersecurity insights agency, as of Thursday, Might 22, 2025, when the unique report was printed, a major variety of Zimbra Collaboration Suite situations have been uncovered on-line that might be susceptible.
Censys noticed a complete of 129,131 probably susceptible ZCS situations globally, with most present in North America, Europe, and Asia. A big majority of those are hosted inside cloud providers. Moreover, 33,614 on-premises Zimbra hosts have been recognized, usually linked to shared infrastructure.
The vulnerability was formally added to CISA’s Recognized Exploited Vulnerabilities (KEV) catalogue on Might 19, 2025, confirming it’s actively being utilized by attackers.
Attainable Perpetrator?
Safety researchers from ESET have recommended {that a} well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), is perhaps concerned in exploiting it. ESET’s researchers suspect that the Sednit group might be exploiting this flaw as half of a bigger scheme referred to as Operation RoundPress, which goals to steal login particulars and preserve entry to webmail platforms. Whereas there’s at present no public proof-of-concept (PoC) exploit, the lively exploitation highlights the urgency for customers to take motion.
Patching and Mitigation
The excellent news is that patches can be found for this vulnerability. Zimbra has addressed the problem in ZCS model 10.0.7 and 9.0.0 Patch 39. Customers are strongly suggested to replace their Zimbra Collaboration Suite to those patched variations instantly to guard towards potential assaults.
