Over 10,000 Zimbra Collaboration Suite instances exposed online are under active attack via a cross-site scripting vulnerability. The flaw enables attackers to compromise affected email and messaging servers.
Security researchers have identified a critical XSS vulnerability affecting thousands of Zimbra Collaboration Suite (ZCS) deployments currently accessible on the internet. The vulnerability allows attackers to inject malicious scripts into the platform, potentially compromising user sessions and data.
Zimbra, a widely-used open-source email and collaboration platform, powers messaging infrastructure for organizations globally. The exposed instances suggest many organizations are running outdated or unpatched versions of the software.
XSS attacks of this nature typically target user authentication tokens and sensitive information. By exploiting the vulnerability, attackers can execute arbitrary code in users' browsers, steal session cookies, or redirect users to malicious sites. The active nature of the campaign indicates threat actors are actively probing and compromising vulnerable servers.
The scope of the exposure—10,000+ instances—underscores the challenge of maintaining security across distributed infrastructure. Many organizations may be unaware their Zimbra installations are accessible to the public internet or vulnerable to known exploits.
Recommended actions for Zimbra administrators:
- Apply available security patches immediately
- Review Zimbra instances for internet exposure
- Monitor access logs for suspicious activity
- Implement network segmentation to limit exposure
- Enable multi-factor authentication where possible
The vulnerability highlights the ongoing risk posed by unpatched collaboration and email platforms. As remote work continues, email servers remain prime targets for attackers seeking initial access to organizational networks.
Organizations running Zimbra should prioritize patching efforts and conduct security audits of their deployments to identify and remediate vulnerable instances before attackers can establish persistent access.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.