News Summary:
Security researchers on April 24, 2026, confirmed that over 10,000 Zimbra Collaboration Suite (ZCS) instances remained exposed online and vulnerable to active exploitation of a critical cross-site scripting (XSS) flaw, CVE-2025-48700. This followed the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding a critical ZCS vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 19, 2026, citing confirmed in-the-wild abuse and setting an April 1, 2026, remediation deadline for federal agencies. CISA had previously mandated emergency patching for federal agencies on March 17, 2026, for a high-severity ZCS XSS vulnerability, CVE-2025-66376, which it added to its KEV catalog on March 18, 2026, also giving government organizations until April 1 to implement fixes. Earlier, on January 2, 2026, the Federal Office for Information Security (BSI) updated a security warning for Synacor Zimbra, originally published December 22, 2025, noting multiple vulnerabilities impacting Linux and UNIX operating systems. CISA initially issued an urgent alert on October 9, 2025, concerning an actively exploited zero-day XSS vulnerability, CVE-2025-27915, affecting the ZCS Classic Web Client.
Subscribe for full access to Synacor's profile
Subscribe for full access to Synacor's products in full detail 
