A critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-27443, has been discovered in the Zimbra Collaboration Suite’s CalendarInvite feature, and reports indicate it is being actively exploited by the Sednit hacking group. This flaw poses significant risks as it allows attackers to compromise user sessions, raising concerns among Zimbra users globally.
The security weakness stems from improper validation of incoming data in the Calendar header of emails within Zimbra’s Classic Web Client interface. This vulnerability enables attackers to carry out stored XSS attacks by embedding malicious code into a specially crafted email. When users open such emails, the malicious code executes in their web browsers, potentially allowing hackers to gain unauthorized access to user accounts.
According to cybersecurity firm Censys, as of May 22, 2025, a staggering 129,131 instances of the Zimbra Collaboration Suite were found to be exposed online and vulnerable to this flaw, with the majority located in North America, Europe, and Asia. Many of these vulnerable systems operate on cloud services, while thousands of on-premises Zimbra hosts have been identified, often sharing infrastructure.
The United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-27443 to its Known Exploited Vulnerabilities catalog on May 19, 2025, confirming its active exploitation by malicious actors. ESET’s security researchers believe the Sednit group, also known as APT28 or Fancy Bear, is potentially behind the exploitation of this vulnerability as part of a larger operation targeting webmail platforms.
The good news for users is that patches have been released to mitigate this issue. Zimbra has addressed the vulnerability in versions 10.0.7 and 9.0.0 Patch 39. Users are strongly urged to update their Zimbra Collaboration Suite installations to these patched versions immediately to safeguard against possible attacks.