Zimbra Patches Critical Webmail Flaw That Lets Booby-Trapped Emails Run Code
A stored cross-site scripting bug in Zimbra's Classic Web Client can hijack a user's session the moment a rigged email is opened.

Key points
- Zimbra has issued urgent patches for a critical flaw in its Classic Web Client that lets a specially crafted email run malicious code inside a user's browser session.
- The bug is a stored cross-site scripting issue, meaning the harmful code sits inside the email itself and fires when the message is viewed.
- No CVE identifier has been assigned yet, and Zimbra has not publicly named who reported the flaw or whether it has been used in attacks.
- Zimbra is a widely deployed email and collaboration platform used by governments, universities and businesses, groups that have been repeatedly targeted in past Zimbra campaigns.
- Administrators are being told to update immediately and, where possible, move users to the newer Modern Web Client.
Zimbra is telling customers to patch a serious flaw in its webmail software, and to do it quickly.
The bug sits in the Classic Web Client, the older browser interface many organisations still use to read email through Zimbra. A rigged message can slip malicious code into that interface. When a user opens the email, the code runs inside their logged-in session.
In plain terms: reading the wrong email could be enough to hand an attacker the keys to your mailbox.
What kind of bug is this?
It is a stored cross-site scripting flaw, usually shortened to XSS. That is a class of bug where an attacker hides web code (typically JavaScript) inside content that a trusted site later shows back to a user. The browser cannot tell the smuggled code apart from the site's own code, so it runs it.
"Stored" means the payload lives on the server, in this case tucked inside a delivered email, waiting to fire every time someone opens it. No dodgy link to click. No attachment to download. Just opening the message is enough.
Once that code runs, it acts as the victim. It can read mail, forward messages, change settings, or quietly steal the session token that keeps the user signed in.
Should ordinary users be worried?
If your employer runs Zimbra, the risk sits mostly with your IT team, and their job right now is to install the update. There is nothing a normal user can meaningfully do at the inbox level to block a flaw like this, because the trap triggers on view.
If you administer a Zimbra server, apply the fix from Zimbra's advisory as soon as your change window allows. Where feasible, shift users off the Classic Web Client to the Modern Web Client, which does not share the same code path.
The flaw has not yet been assigned a CVE identifier, the standard reference number the industry uses to track vulnerabilities. That will likely follow in the coming days.
Who tends to attack Zimbra?
Zimbra has a long, unhappy history as a target. Espionage crews tracked by Google's Threat Analysis Group and by ESET as Winter Vivern, along with clusters linked to Russian and Belarusian interests, have repeatedly chained Zimbra XSS bugs to steal diplomatic and government mail. The 2023 flaw CVE-2023-37580 was hit by at least four separate groups before it was even patched, according to Google.
That pattern matters. XSS bugs in webmail are not theoretical. They get weaponised fast, and the targets are usually ministries, NGOs and universities rather than random businesses.
Attribution here should stay cautious. As of writing there is no public reporting, including from The Hacker News which first flagged the advisory, tying this specific bug to a named group or an in-the-wild campaign. Capability to exploit stored XSS in Zimbra is broadly available. Intent, in any given case, is a separate question.
Expect proof-of-concept code to appear soon after the CVE is published. Patch before then.



