CISA has added CVE‑2025‑48700 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry covers Synacor’s Zimbra Collaboration Suite (ZCS) and identifies a cross‑site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within a user’s session, potentially leading to unauthorised access to sensitive information.
The flaw is a reflected or stored cross‑site scripting issue (depending on the injection point) affecting the web interface of ZCS. Successful exploitation enables an attacker to run malicious scripts in the context of an authenticated user, which can be used to steal session cookies, perform actions on behalf of the user, or exfiltrate data. The vulnerability stems from insufficient input validation on user‑supplied data that is later rendered in the browser without proper escaping. The vulnerability has a CVSS v3.1 score of 6.1, rated MEDIUM, and a patch is available from Synacor.
CISA’s inclusion indicates that active exploitation of CVE‑2025‑48700 has been observed in the wild. CISA’s KEV list is reserved for vulnerabilities with confirmed exploitation in the wild, prompting urgent remediation. No public reporting links this flaw to ransomware campaigns at this time. Federal civilian executive branch (FCEB) agencies must apply the required mitigations by 23 April 2026, the remediation due date set by CISA.
CISA directs FCEB agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds FCEB organisations, all other entities should review their exposure to ZCS and apply the available patch or equivalent mitigations as soon as practicable. Organisations should also monitor their ZCS deployments for any signs of compromise.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-48700 and the CISA KEV catalogue.