Critical Zimbra Zero-Day Flaw Actively Exploited in Targeted Attacks

Zimbra has urged all users of the Zimbra Collaboration Suite to take immediate action to address a critical vulnerability that is being actively exploited in targeted attacks. Around 200,000 businesses currently use the email and collaboration platform and are at risk until the patch is applied or the recommended mitigations have been implemented.

Version 8.8.15 of the Zimbra Collaboration Suite has a vulnerability that impacts the confidentiality and integrity of user data. The vulnerability is a cross-site scripting flaw, which the Google Threat Analysis Group (TAG) has confirmed is being exploited in the wild in targeted attacks. The flaw could be exploited to gain access to sensitive data and potentially execute malicious code on vulnerable systems. Malicious actors are known to target Zimbra vulnerabilities, so it is important to take the mitigation steps immediately to prevent exploitation.

Zimbra says the issue will be fixed in its July patch release; however, since evidence of exploitation has been identified, users are advised to manually address the issue on all mailbox nodes until the patch is released and applied. Currently, there is no CVE assigned to the vulnerability. Zimbra has credited the discovery of the vulnerability to TAG security researcher Clément Lecigne.

Zimbra has confirmed that the following steps can be taken without any downtime as a Zimbra service restart is not required. To prevent the vulnerability from being exploited, users should follow the steps below and ensure they apply the July patches promptly when they are released later this month.

Manual Actions to Address the XSS Vulnerability

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
  2. Edit this file and go to line number 40
  3. Update the parameter value as below
    <input name=”st” type=”hidden” value=”${fn:escapeXml(}”/>
  4. Before the update, the line appeared as below
    <input name=”st” type=”hidden” value=”${}”/>

After the update, the line should appear as below

<input name=”st” type=”hidden” value=”${fn:escapeXml(}”/>

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of