Zimbra has released security patches for a critical vulnerability in its Classic Web Client that permits arbitrary code execution through malicious email attachments. The flaw, a stored cross-site scripting vulnerability, allows attackers to craft emails containing malicious scripts that execute within a user's active session when the victim opens the message.

No CVE identifier has been assigned yet. The vulnerability affects Zimbra's widely deployed email and collaboration platform used by enterprises and service providers globally. The attack requires no user interaction beyond opening a compromised email, making exploitation trivial.

The stored XSS mechanism means the malicious payload persists in the email system itself. When an authenticated user accesses their mailbox through the Classic Web Client, the injected script runs with the user's privileges and session token. An attacker gains access to sensitive emails, contacts, and calendar data. They can also modify settings, forward messages to external accounts, or pivot to other systems the user can access.

Organizations running Zimbra infrastructure face immediate risk. Threat actors routinely scan for vulnerable collaboration platforms. Email remains the primary attack vector for initial compromise, and a stored XSS in a mail client amplifies exposure.

Zimbra customers should apply patches immediately. The company has not disclosed whether the vulnerability is being actively exploited in the wild, but the critical severity rating justifies urgent patching. Organizations should also review email logs for suspicious script tags in message headers, particularly those containing JavaScript or iframe elements.

Users should avoid opening emails from untrusted sources and ensure their Zimbra instances run current versions. Security teams should monitor for anomalous session activity, forwarding rules, or unauthorized contact exports that might indicate compromise.

The lack of a CVE assignment suggests active patch development may still be underway. Organizations unable to patch immediately should consider restricting access to Zimbra's Classic Web Client or implementing network-level controls to limit exposure.