Critical Zimbra XSS flaw lets attackers run code via email in healthcare deployments

Zimbra has urged customers to patch a critical stored XSS vulnerability in the Classic Web Client that could let attackers execute code via crafted emails.

MRAdmin
By
2 Min Read

Zimbra has urged customers to immediately apply updates addressing a critical stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client that could allow attackers to execute arbitrary code in user sessions via crafted email messages. The flaw, which affects widely deployed versions of the email and collaboration platform, poses significant risk to healthcare organizations that rely on Zimbra for internal and patient communications.

Technical details

The vulnerability (not yet assigned a CVE at publication) involves a stored XSS vector in the Classic Web Client interface. An attacker can send a specially crafted email containing malicious JavaScript that executes when the recipient views the message in their web browser. This can lead to session hijacking, credential theft, account takeover, and lateral movement within the organization’s email infrastructure. Previous Zimbra XSS vulnerabilities including CVE-2023-37580 and CVE-2025-27915 have been actively exploited by threat actors targeting the healthcare sector.

Healthcare risk

Zimbra is a popular email platform among hospitals, health systems, and clinics due to its open-source core and cost-effective deployment model. Healthcare organizations are particularly vulnerable to email-based attacks because:

  • Clinical staff frequently open emails from unknown senders (patient referrals, lab results, specialist consults)
  • Many healthcare Zimbra deployments run legacy versions without timely patch management
  • Compromised email accounts can expose PHI, appointment schedules, and internal clinical communications
  • Email session hijacking can enable ransomware deployment through trusted internal channels

Healthcare CISOs should verify Zimbra version numbers against the latest security patch, enable Content Security Policy (CSP) headers as a compensating control, restrict Classic Web Client access where modern Zimbra Web Client is available, and audit email accounts for signs of unauthorized access. The HHS HC3 has previously issued sector alerts on Zimbra exploitation against healthcare organizations.

Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *