CVE-2024-27443 is an actively exploited XSS vulnerability in the Zimbra Collaboration Suite (ZCS), affecting versions 9.0 and 10.0. The flaw resides in the CalendarInvite feature of the Zimbra webmail classic UI. Improper input validation in the calendar header allows attackers to craft malicious emails that, once opened, execute arbitrary JavaScript in the victim’s session.
This can lead to session hijacking, credential theft, or lateral movement inside the organization, especially critical in environments using Zimbra as their primary communications platform.
Date Added to CISA KEV: May 19, 2025
Exploitation Status: Confirmed in the wild
Severity: Medium (CVSS 6.1)
Risk to Organizations: Moderate impact, elevated for government and defense sectors
Targeted Sectors
The vulnerability is being actively exploited in targeted campaigns against:
- Government agencies
- Defense contractors
- Other high-value entities with exposed Zimbra instances
Exposure & Trends
CVE-2024-27443 was recently added to the CISA Known Exploited Vulnerabilities (KEV) list.
Over 30,000 IPs have been identified as potentially vulnerable.
Campaigns leveraging similar XSS bugs have also been observed targeting Roundcube, Horde, and MDaemon webmail systems, suggesting coordinated attacker interest in mail-based XSS exploits.
Mitigation & Recommendations
- Upgrade Zimbra to patched versions:
- If patching is not immediately possible, restrict access to the classic webmail UI and monitor for suspicious calendar invite activity.
- Follow CISA’s BOD 22-01 guidance for timely remediation.
OP Innovate Recommendations
Clients running Zimbra Collaboration Suite should treat this as a priority issue. On top of conducting immediate patch assessments, we recommend:
- Reviewing mail server logs for unusual calendar headers
- Adding detections for JavaScript in calendar invites
- Engaging our incident response team if compromise is suspected
