A significant cross-site scripting (XSS) vulnerability, designated CVE-2024-27443, has been identified in the CalendarInvite feature of the Zimbra Collaboration Suite, and it is currently being exploited, possibly by the Sednit hacking group. This flaw poses a risk of user session compromise, emphasizing the urgent need for prompt patching.
The latest security issue affecting the Zimbra Collaboration Suite (ZCS), a widely-used platform for email and collaboration, is classified under CVE-2024-27443. This vulnerability allows attackers to potentially steal sensitive information or gain unauthorized control over user accounts through a particular type of cross-site scripting attack.
How the Flaw Functions
This vulnerability is specifically rooted in the CalendarInvite functionality of Zimbra’s Classic Web Client. The underlying issue stems from an inadequate validation of incoming data in the Calendar header of emails.
Such a flaw creates an avenue for a stored XSS attack, where an attacker may embed malicious code within a crafted email. Upon a user opening this email in the classic Zimbra interface, the harmful code executes automatically in their web browser, allowing the attacker to hijack the user’s session. The vulnerability is rated as medium in severity, with a CVSS score of 6.1, impacting ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).
Widespread Exposure and Ongoing Exploitation
Cybersecurity firm Censys reports that as of May 22, 2025, there were many instances of the Zimbra Collaboration Suite exposed and potentially vulnerable online. Their analysis identified 129,131 ZCS instances worldwide, predominantly located in North America, Europe, and Asia. A significant share of these systems is hosted on cloud platforms, while 33,614 on-premises Zimbra installations, often using shared infrastructure, were recorded.
This vulnerability was documented in the CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, reaffirming that attackers are actively utilizing this flaw.
Suspected Attacker
ESET security researchers have speculated that the Sednit hacking group, also known as APT28 or Fancy Bear, may be involved in exploiting this vulnerability. Their conjecture posits that the Sednit group is leveraging this flaw as part of a broader operation named Operation RoundPress, targeting webmail platforms to harvest login credentials and maintain unauthorized access. While no public proof-of-concept exploit currently exists, the ongoing exploitation underscores the necessity for users to implement protective measures promptly.
Patch Availability and Mitigation Steps
Fortunately, patches have been made available to address this vulnerability. Zimbra has rectified the issue in ZCS version 10.0.7 and Patch 39 for version 9.0. Business owners are strongly urged to upgrade to these updated versions without delay to safeguard against potential attacks. With the threat landscape evolving rapidly, timely application of security patches is critical for maintaining system integrity and user safety.
