Zimbra has urged customers to immediately apply updates addressing a critical stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client that could allow attackers to execute arbitrary code in user sessions via crafted email messages. The flaw, which affects widely deployed versions of the email and collaboration platform, poses significant risk to healthcare organizations that rely on Zimbra for internal and patient communications.
Technical details
The vulnerability (not yet assigned a CVE at publication) involves a stored XSS vector in the Classic Web Client interface. An attacker can send a specially crafted email containing malicious JavaScript that executes when the recipient views the message in their web browser. This can lead to session hijacking, credential theft, account takeover, and lateral movement within the organization’s email infrastructure. Previous Zimbra XSS vulnerabilities including CVE-2023-37580 and CVE-2025-27915 have been actively exploited by threat actors targeting the healthcare sector.
Healthcare risk
Zimbra is a popular email platform among hospitals, health systems, and clinics due to its open-source core and cost-effective deployment model. Healthcare organizations are particularly vulnerable to email-based attacks because:
- Clinical staff frequently open emails from unknown senders (patient referrals, lab results, specialist consults)
- Many healthcare Zimbra deployments run legacy versions without timely patch management
- Compromised email accounts can expose PHI, appointment schedules, and internal clinical communications
- Email session hijacking can enable ransomware deployment through trusted internal channels
Recommended actions
Healthcare CISOs should verify Zimbra version numbers against the latest security patch, enable Content Security Policy (CSP) headers as a compensating control, restrict Classic Web Client access where modern Zimbra Web Client is available, and audit email accounts for signs of unauthorized access. The HHS HC3 has previously issued sector alerts on Zimbra exploitation against healthcare organizations.
