Zimbra Classic Web Client vulnerability for JavaScript code execution

A high-level security vulnerability was recently identified in Zimbra Classic Web Client, allowing attackers to insert and execute arbitrary JavaScript code through the form of Dropped Cross-Site Scripting (XSS). The vulnerability was assigned the code CVE-2025-27915 and is currently considered a serious threat by cybersecurity experts, possibly being used to gain control of email accounts, steal sensitive information as well as spread malicious code in the system.

Compared to the reflexive XSS forms, which are only activated when the user interacts with a malicious link, the stored X SSS is significantly more dangerous due to the malicious code being saved directly on the server. This means that every time a user accesses the infected content, the malicious JavaScript piece of code will be automatically executed by the browser without any additional work. It is this feature that makes CVE-2025-27915 a vulnerability that needs to be addressed urgently.

According to the results of the technical analysis, the root cause of the problem lies in the fact that the mechanism for checking and cleaning input data in Zimbra’s Classic interface is not rigorous enough. Attackers can exploit this weakness to insert malicious JavaScript fragments into input fields that the system does not safely encode or remove. When this data is shown to another user, the browser will treat it as valid content and execute the malicious code as part of the application.

If exploited successfully, the CVE-2025-27915 gap could have many serious consequences. Hackers can steal session cookies to gain access to email accounts, forge user behavior, monitor content exchanged, or even deploy sophisticated phishing operations within the victim organization’s internal email system.

The affected versions of Zimbra Classic Web Client include previous releases of Zimba 9.0.0 Patch 46, 10.1.15 and 10,1.9. These versions are not fully equipped with modern defenses such as efficient output encoding or Content Security Policy (CSP) that are strong enough to prevent malicious code insertion and execution.

As Zimbra is being deployed extensively in many organizations around the world, especially in the corporate and regulatory environments, this vulnerability poses a risk of widespread exploitation if not addressed in time.

As a response, Zimbra quickly released security patches for three major product lines, including Zimba 9.0.0 Patch 46, 10.1.15, and 10,1.9. These updates not only improved the process of controlling input data, but also added an enhanced HTML analysis mechanism, enhanced content filtering both at the input and output dimensions, and adjusted the configuration of the Jetty web server – a key component in Zimbra’s user interface architecture.

System administrators are advised to deploy the patch as soon as possible, and to conduct a thorough review of all entry points in the application, carefully check for custom code, and adopt a tighter content control policy to minimize the risk of similar attacks in the future.