Zimbra has released Collaboration Suite (ZCS) version 10.1.19 — available since July 8, 2026 — to fix a critical stored cross-site scripting (XSS) vulnerability in the Classic Web Client, the Ajax-based webmail interface used by millions of self-hosted Zimbra deployments. Discovered and reported by Google’s Threat Analysis Group (TAG), the flaw allows an attacker to embed malicious JavaScript inside a crafted email that executes silently in the victim’s browser the moment they open or preview the message – no clicks, no attachments, no interaction beyond reading the email. No CVE has been assigned yet. Because Russian state-sponsored groups including Winter Vivern, APT28, and APT29 have a documented track record of weaponizing every major Zimbra XSS flaw discovered over the past three years, administrators running any version of ZCS prior to 10.1.19 should treat this as a priority-one emergency patch.
What the Vulnerability Is
The flaw is a stored XSS — meaning the attacker’s payload is embedded inside a malicious email, delivered to the target’s server, and stored in their mailbox. When a logged-in Zimbra user opens or previews the message in the Classic Web Client (also called the Ajax client), the malicious JavaScript executes inside their authenticated browser session.
The attack path requires nothing beyond the ability to send email:
- Attacker crafts a message containing a malicious JavaScript payload hidden in the email body or headers
- Attacker sends it to any recipient whose Zimbra server runs the Classic Web Client
- Zimbra stores the email on the target’s mail server
- Target opens or previews the email in the Classic Web Client
- The browser executes the attacker’s JavaScript in the context of the victim’s active, authenticated Zimbra session
The Classic Web Client (Ajax interface) is the default webmail interface in ZCS and is distinct from the newer “Modern” UI. Many enterprise deployments explicitly enable or default to the Classic client for compatibility with older browsers or custom extensions.
Because the payload is served from the victim’s own mail server — a trusted, authenticated domain — browser security controls like same-origin policy provide zero protection here. The script runs with full session privileges.
Why It Matters
This flaw was reported by Google’s Threat Analysis Group (TAG). TAG is the team inside Google that tracks and investigates state-sponsored hacking groups and zero-day exploits actively used in nation-state espionage campaigns. When TAG finds and discloses a vulnerability, it signals that the underlying attack technique is either already in active use by advanced threat actors or has been flagged as high-priority for near-term exploitation.
Zimbra’s history with XSS attacks makes that context especially alarming:
- February 2023: Russian-backed Winter Vivern exploited a reflected XSS vulnerability in Zimbra webmail portals used by NATO-member governments, successfully stealing sensitive diplomatic emails belonging to NATO officials, diplomats, and Ukrainian government personnel.
- October 2024: APT29 (Midnight Blizzard / Cozy Bear, linked to Russia’s SVR foreign intelligence service) targeted vulnerable Zimbra mail servers “at mass scale” as part of ongoing diplomatic espionage campaigns.
- 2025: APT28 (Fancy Bear / GRU) exploited a previous Zimbra XSS — CVE-2025-66376 — to breach email servers at Ukrainian government agencies.
The pattern is clear: every significant Zimbra XSS discovered over the past three years has been weaponized by Russian state-sponsored threat actors for credential theft, government email exfiltration, and intelligence collection. TAG’s involvement in finding this flaw means it is almost certainly already on the radar of the same groups.
A successful exploit can silently:
- Steal session cookies and tokens, giving the attacker persistent access to the victim’s mailbox from anywhere in the world, even after the victim changes their password
- Exfiltrate the full contents of the victim’s inbox, sent items, and attachments
- Modify account settings, add email forwarding rules, or access calendar and contacts data
- Pivot to other internal systems if the Zimbra session is used for single sign-on (SSO) or if the stolen credentials are reused elsewhere
Am I Affected?
You are likely affected if all of the following are true:
- You run Zimbra Collaboration Suite (ZCS) on your own server (not Zimbra’s cloud-hosted SaaS)
- The Classic Web Client (Ajax interface) is enabled – this is the default for most self-hosted deployments
- Your ZCS version is 10.1.18 or earlier, 10.0.x, 9.0.x, or 8.8.15.x
Check your version from the command line:
su - zimbra
zmcontrol -v
Or check the Zimbra Admin Console: Home → About Zimbra Collaboration.
If your output shows any version prior to 10.1.19, your Classic Web Client is vulnerable.
What to Do About It: Step-by-Step
For ZCS 10.1.x users (recommended upgrade path)
1. Log in to your Zimbra server as the system user (not the zimbra OS user directly).
2. Back up your configuration before touching anything:
# Recommended: snapshot your VM or back up /opt/zimbra before patching
su - zimbra -c "zmcontrol status"
3. Apply the patch packages via Zimbra’s official patch repository or patch installer. The two specific packages updated in 10.1.19 are:
zimbra-patch→ version10.1.19.1783177840-2zimbra-mbox-webclient-war→ version10.1.19.1783175257-1
4. Follow the official patch release steps documented at Patch Release Update — Zimbra 10.1.19.
5. Restart Zimbra after patching:
su - zimbra -c "zmcontrol restart"
6. Verify the new version:
su - zimbra -c "zmcontrol -v"
Confirm the output shows 10.1.19.
For ZCS 10.0.x, 9.0.x, or 8.8.15 users
These older branches require both a branch-appropriate upgrade and re-application of the SNMP mitigation. Zimbra’s wiki release notes for 10.1.19 include instructions for these branches: Zimbra Releases/10.1.19.
Zimbra strongly recommends migrating to the 10.1.x line, as older branches are approaching end-of-life and may not receive continued security updates.
Temporary mitigation (if immediate patching is impossible)
If you cannot patch right now, consider temporarily disabling the Classic Web Client so that users are directed to the Modern interface instead (which is not affected by this specific XSS). In the Zimbra Admin Console, navigate to Login Options and adjust the available client setting. Note that this is a mitigation, not a fix — upgrade as soon as possible.
Quick-Win Checklist
- Run
zmcontrol -vas the zimbra user – if the version is below 10.1.19, you are vulnerable right now - Snapshot your VM or back up
/opt/zimbrabefore applying any patch - Apply
zimbra-patch 10.1.19.1783177840-2andzimbra-mbox-webclient-war 10.1.19.1783175257-1 - Restart Zimbra services and confirm
zmcontrol -vreports 10.1.19 - If on ZCS 10.0.x / 9.0.x / 8.8.15: apply the branch-specific SNMP mitigation per Zimbra wiki instructions
- Review the Zimbra admin audit log for any suspicious logins or session activity since July 1, 2026
- Check for unexpected email forwarding rules or auto-reply configurations in administrator and privileged accounts
- Search mail logs for any malformed or unusually structured emails arriving before the patch was applied
- Subscribe to Zimbra security advisories at the Zimbra Security Center if not already subscribed
Sources
- BleepingComputer — Zimbra urges customers to patch critical web client XSS flaw
- The Hacker News — Critical Zimbra Flaw Could Let Crafted Email Execute Malicious Code
- GBHackers — Zimbra Releases Security Patch for Stored XSS Flaw
- CyberPress — Zimbra 10.1.19 Fixes Stored XSS Flaw
- Zimbra Official Blog — Patch Release Update: Zimbra 10.1.19
- Zimbra Wiki — Zimbra Releases/10.1.19