A important XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite function is actively being exploited, doubtlessly by the Sednit hacking group. Learn the way this flaw permits attackers to compromise consumer periods and why instant patching is essential.
A brand new safety weak point has been found within the Zimbra Collaboration Suite (ZCS), a preferred e-mail and collaboration platform. This challenge, categorised as CVE-2024-27443, is a kind of cross-site scripting (XSS) flaw that would permit attackers to steal info or take management of consumer accounts.
How the Flaw Works
The issue lies particularly inside the CalendarInvite function of Zimbra’s Basic Internet Shopper interface. It occurs as a result of the system doesn’t correctly test incoming info within the Calendar header of emails.
This oversight creates a gap for a saved XSS assault. This implies an attacker can embed dangerous code right into a specifically designed e-mail. When a consumer opens this e-mail utilizing the basic Zimbra interface, the malicious code runs robotically inside their net browser, giving the attacker entry to their session. The severity of this vulnerability is rated as medium, with a CVSS rating of 6.1. It impacts ZCS variations 9.0 (patches 1-38) and 10.0 (as much as 10.0.6).
Widespread Publicity and Lively Exploitation
In accordance with Censys, a cybersecurity insights agency, as of Thursday, Could 22, 2025, when the unique report was revealed, a major variety of Zimbra Collaboration Suite cases had been uncovered on-line that may very well be weak.
Censys noticed a complete of 129,131 doubtlessly weak ZCS cases globally, with most present in North America, Europe, and Asia. A big majority of those are hosted inside cloud providers. Moreover, 33,614 on-premises Zimbra hosts had been recognized, typically linked to shared infrastructure.
The vulnerability was formally added to CISA’s Recognized Exploited Vulnerabilities (KEV) catalogue on Could 19, 2025, confirming it’s actively being utilized by attackers.
Potential Perpetrator?
Safety researchers from ESET have recommended {that a} well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), could be concerned in exploiting it. ESET’s researchers suspect that the Sednit group may very well be exploiting this flaw as half of a bigger scheme known as Operation RoundPress, which goals to steal login particulars and preserve entry to webmail platforms. Whereas there may be at the moment no public proof-of-concept (PoC) exploit, the energetic exploitation highlights the urgency for customers to take motion.
Patching and Mitigation
The excellent news is that patches can be found for this vulnerability. Zimbra has addressed the difficulty in ZCS model 10.0.7 and 9.0.0 Patch 39. Customers are strongly suggested to replace their Zimbra Collaboration Suite to those patched variations instantly to guard towards potential assaults.
