Home / Threat Intelligence bulletins / Zimbra zero-day vulnerability requires urgent update

Target Industry

Indiscriminate, opportunistic targeting.


Zimbra has disclosed a zero-day vulnerability in its email servers that is being actively exploited in the wild. The flaw relates to reflected cross-site scripting (XSS).


It is possible that successful exploitation of the vulnerability could potentially impact the confidentiality and integrity of data.

Vulnerability Detection

The relevant update will not be released until the scheduled Zimbra July 2023 update. It is therefore a matter of urgency that users of the affected Zimbra product manually apply the security fix to all mailbox nodes.

Affected Products

Zimbra Collaboration Suite version 8.8.15

Containment, Mitigations & Remediations

Zimbra has outlined the mitigation steps, as outlined below:

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
  2. Edit this file and go to line number 40
  3. Update the parameter value as below
    <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>
  4. Before the update, the line appeared as below
    <input name=”st” type=”hidden” value=”${param.st}”/>
  5. After the update, the line should appear as below:
    <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Zimbra occupies a significant proportion of the email-client market share. Given that threat actors generally use a combination of probability and asset value to determine which attack surfaces to focus on, the Zimbra collaboration suits products could emerge as a prime target. Since Zimbra products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Zimbra products have previously been targeted by advanced persistent threat (APT) groups. This has included the North Korean Government conducting espionage operations, by sponsored threat actors exploiting Zimbra devices, within organisations from the medical and energy sectors in Q1 of 2023. Due to the history of successful exploitation, it is highly likely that APT, as well as other cyber threat actor groups will target any known Zimbra product security flaws to further advance their goals of data exfiltration.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Attack Pattern Enumeration and Classification (CAPEXC)

CAPEC-63 – Cross-Site Scripting (XSS)

Further Information

Zimbra Advisory


An Intelligence Terminology Yardstick to showing the likelihood of events