Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial.

A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts.

The problem lies specifically within the CalendarInvite feature of Zimbra’s Classic Web Client interface. It happens because the system doesn’t properly check incoming information in the Calendar header of emails.

This oversight creates an opening for a stored XSS attack. This means an attacker can embed harmful code into a specially designed email. When a user opens this email using the classic Zimbra interface, the malicious code runs automatically within their web browser, giving the attacker access to their session. The severity of this vulnerability is rated as medium, with a CVSS score of 6.1. It affects ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).

According to Censys, a cybersecurity insights firm, as of Thursday, May 22, 2025, when the original report was published, a significant number of Zimbra Collaboration Suite instances were exposed online that could be vulnerable.

Censys observed a total of 129,131 potentially vulnerable ZCS instances globally, with most found in North America, Europe, and Asia. A large majority of these are hosted within cloud services. Additionally, 33,614 on-premises Zimbra hosts were identified, often linked to shared infrastructure.

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on May 19, 2025, confirming it is actively being used by attackers.

Security researchers from ESET have suggested that a well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), might be involved in exploiting it. ESET’s researchers suspect that the Sednit group could be exploiting this flaw as part of a larger scheme called Operation RoundPress, which aims to steal login details and maintain access to webmail platforms. While there is currently no public proof-of-concept (PoC) exploit, the active exploitation highlights the urgency for users to take action.

The good news is that patches are available for this vulnerability. Zimbra has addressed the issue in ZCS version 10.0.7 and 9.0.0 Patch 39. Users are strongly advised to update their Zimbra Collaboration Suite to these patched versions immediately to protect against potential attacks.