Home/ Blog/ Security news/ Article
Blog · Security news

Zimbra's Classic Web Client can run code from a crafted email again. Patch to 10.1.19 now.

Zimbra shipped ZCS 10.1.19 to fix a stored XSS in the Classic Web Client that runs code from a crafted email. Google TAG reported it; no public exploit yet.

Open envelope on a flat surface with thin geometric lines rising from inside it

A webmail bug that runs code the moment a victim opens a message is bad on its own. What makes Zimbra's latest one worth acting on this week is who reported it. Google's Threat Analysis Group, the team that tracks government-backed hacking, flagged the stored cross-site scripting flaw that Zimbra fixed in Collaboration Suite 10.1.19. There is no public exploit yet. That is not the same as safe. TAG has surfaced earlier Zimbra webmail flaws that were already being used against real mailboxes before the rest of the industry noticed.

What the flaw actually does

The fixed issue is a stored cross-site scripting flaw in Zimbra's Classic Web Client. An attacker sends a crafted email; when the recipient opens it in the Classic Web Client, script inside the message runs in that user's authenticated session. Zimbra's advisory, as reported by BleepingComputer, says exploitation can reach mailbox contents, session data, and account settings. No click beyond reading the message is required.

The important scoping detail: this only touches the Classic Web Client. Zimbra's guidance is blunt: anyone still on the Classic Web Client should move to ZCS 10.1.19 now, and the Modern Web Client is not affected by this bug. There is no CVE identifier assigned yet and no published CVSS score. Zimbra shipped 10.1.19 in the first days of July and urged customers to upgrade around July 10, 2026, according to Security Affairs.

ComponentAffected by this flawAction today
Classic Web Client (below 10.1.19)YesUpgrade to ZCS 10.1.19
Modern Web ClientNoNo action for this bug
Only the Classic Web Client renders the crafted message. Source: Zimbra advisory as reported by BleepingComputer and Security Affairs.

Why "no public exploit yet" is the wrong thing to relax about

Read the reporter, not just the status line. TAG's job is finding zero-days aimed at journalists, dissidents, and government staff, so a webmail flaw that lands on TAG's desk fits the profile of the ones that get used quietly rather than the ones that never get used at all. Prior Zimbra web client flaws have been tied in public reporting to Russia-linked groups tracked as APT28, APT29, and Winter Vivern, targeting email accounts across Europe and Ukraine. When the discoverer hunts state-sponsored activity, treat "not yet seen in the wild" as "not yet seen by us."

There is a second reason the countdown is short. This is stored cross-site scripting delivered by email, which is about the cheapest exploitation setup a vulnerability can have. Once someone compares the 10.1.19 build against the prior one, the fix itself points at the injection path, and the payload is just an email. We made the same argument about Adobe's ColdFusion patch that shipped with no exploit: the gap between a public fix and a working exploit for a widely deployed server is measured in days, not months.

Patching is step one. Your open sessions are step two.

Here is the part the upgrade notice does not cover. Because this flaw steals session data, moving to 10.1.19 stops new injections but does nothing to a session token an attacker already lifted during the window before you patched. If your Classic Web Client was reachable from the internet, assume the pre-patch window mattered and do three things after upgrading:

  • Invalidate active webmail sessions and force re-authentication, so any token captured before the patch stops working. Patching without rotating sessions is the same mistake we flagged in the FortiBleed case, where the fix did not evict an attacker who already held valid session material.

  • Hunt stored messages for inline script or HTML that has no business in a normal email body, focused on the days before you upgraded.

  • Correlate mailbox reads with session use from new IP addresses or geographies right after a message was opened, the signature of a stolen-session takeover rather than a password guess.

This is the same discipline that separates a real response from a checkbox in session-hijack cases like the GitLab session flaw: the patch closes the door, it does not walk the intruder back out.

The Classic Web Client is the recurring liability

Step back from this one bug. The Modern Web Client was not affected here, and the Classic client keeps producing email-borne cross-site scripting. It is the older rendering path, and Zimbra itself scopes the fix to it. If your users still default to the Classic Web Client, this is the prompt to plan a migration off it, not just to apply 10.1.19 and move on. A vulnerability class that recurs on one specific surface is an architecture signal, not a run of bad luck. State-backed interest in webmail is not slowing down either; the same logic drives phishing campaigns like the Signal recovery-key theft we covered, where the mailbox or messaging account is the objective, not the stepping stone.

One operational wrinkle: there is no CVE to track

Because no CVE identifier has been assigned, vulnerability tooling that keys off CVE feeds will not raise this for you automatically. Track it by fixed version, ZCS 10.1.19, and by Zimbra's own advisory, and add a manual note to your patch record so it does not fall through a CVE-shaped gap in your scanning. When an identifier does land, backfill it, but do not wait for it to act.

Topics

Frequently asked questions

Which Zimbra version fixes the Classic Web Client flaw?

Zimbra Collaboration Suite 10.1.19 fixes the stored cross-site scripting flaw in the Classic Web Client. Zimbra advises any customer using the Classic Web Client to upgrade as soon as possible. The Modern Web Client is not affected by this issue.

Is the Zimbra Classic Web Client flaw being exploited?

No public exploit or in-the-wild exploitation has been documented at the time of writing. It was reported by Google's Threat Analysis Group, which tracks government-backed hacking, so defenders should treat it as pre-exploitation rather than theoretical and patch promptly.

How does the Zimbra Classic Web Client vulnerability work?

It is a stored cross-site scripting flaw. An attacker sends a crafted email, and when the recipient opens it in the Classic Web Client, script in the message runs in that user's authenticated session. Reported impact includes access to mailbox contents, session data, and account settings.

Is patching Zimbra to 10.1.19 enough?

Patching stops new injections but does not invalidate a session token stolen before you upgraded. After moving to 10.1.19, force re-authentication to end active webmail sessions, and review stored messages and session use from the pre-patch window for signs of compromise.

Does this Zimbra flaw have a CVE identifier?

No CVE identifier had been assigned at the time of writing, and no CVSS score was published. Vulnerability tooling that keys off CVE feeds will not flag it automatically, so track it by the fixed version, ZCS 10.1.19, and by Zimbra's advisory.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.