Zimbra Zero-day XSS Vulnerability Actively Exploited by Attackers to Steal Sensitive Data

Threat actors are actively exploiting the Zimbra zero-day XSS vulnerability to steal data, and it’s believed that the hackers who have exploited the zero-day vulnerability in Zimbra’s open-source email and collaboration platform are linked to China.

The hackers are abusing the Zimbra zero-day XSS vulnerability and accomplishing their malicious goals with the help of spear-phishing campaigns that began in December last year.


In their malicious campaigns, the attackers are targeting the European media and government organizations. And the cybersecurity analysts at Volexity have detected that the spying operation performed by the attackers is code-named as EmailThief.

While Zimbra has affirmed that in over 140 countries, more than 200,000 businesses are using its software and services. Not only that, among those businesses, there are more than 1000 financial and government organizations that are also using the software and services of Zimbra. 

Operators and Operation

A cross-site scripting (XSS) vulnerability allows the threat actors to execute arbitrary JavaScript code in the context of a user session on the Zimbra platform.

And this bug affects the most recent version of Zimbra (Zimbra 8.8.15). Here, the cybersecurity analysts attributed the attacks to the previously unknown TEMP_HERETIC hacker group that mainly targets the media and government organizations in Europe.

Apart from this, the attacks take place in two stages, and here they are:-

  • First stage: In this stage, the attackers conduct surveillance and send out emails in order to check whether the victim receives and opens the messages.
  • Second stage: In this stage, a large number of emails are sent, in which recipients are fooled into clicking on a malicious link.

By exploiting this zero-day flaw, an attacker can easily perform the following tasks:-

  • To allow persistent access to a mailbox, can exfiltrate cookies.
  • Send phishing messages to a user’s contacts.
  • In the context of a trusted website, an attacker can deliver a prompt to download malware.

Moreover, to successfully accomplish the attack, the target must access the malicious site via a link while logged into the Zimbra web client in a browser. And here, with the help of rich email clients like Thunderbird or Outlook, the link itself can be launched. 


The security researchers at Volexity has recommended a few security measures to avoid such attacks, and here they are:-

  • At the mail gateway and network level, all the indicators should be blocked.
  • For suspicious access and referrers, Zimbra users should analyze the historical referrer data.
  • Zimbra users are advised to update the platform to version 9.0.0, as version 8.8.15 is vulnerable.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.