Threats / Synacor / CVE-2025-48700
CVE-2025-48700
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Synacor Zimbra Collaboration Suite (ZCS) vulnerability
Synacor Zimbra Collaboration Suite contains a cross-site scripting vulnerability allowing attackers to execute arbitrary JavaScript in user sessions, potentially compromising sensitive information.
Verdict
Today item — known-exploited.
A reflected or stored XSS flaw in ZCS enables attackers to inject malicious scripts that execute within authenticated user contexts, facilitating credential theft, session hijacking, and unauthorized access to email and collaboration data.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
2 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-04-20).
Probability (EPSS)
EPSS 0.01761 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Synacor, Zimbra Collaboration Suite (ZCS). Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-79 Cross-site Scripting (XSS) — weakness family: Web / client.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious link or inject payload into a ZCS interface field that reflects or stores unsanitized user input.
Business
Attackers gain ability to execute code in user browsers without additional authentication barriers.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I deliver the payload to target users via phishing, social engineering, or by compromising a trusted communication channel.
Business
User click-through rates and social engineering success increase when attacks appear to originate from trusted internal systems.
3
Lateral reach — past segmentation narrative 3
Attacker
I capture session tokens, credentials, or sensitive data from the DOM or local storage when the victim's browser executes my script.
Business
Attackers obtain valid session credentials and can impersonate users to access email, calendars, and shared documents.
4
Data at risk — exfiltration narrative 4
Attacker
I use stolen sessions to access mailboxes, exfiltrate confidential communications, or modify collaboration content.
Business
Confidential business communications, intellectual property, and customer data are exposed or altered without detection.
5
Lights out — disruption & extortion narrative 5
Attacker
I maintain persistence by modifying user settings, creating forwarding rules, or injecting backdoors into shared resources.
Business
Long-term unauthorized access enables ongoing data theft, compliance violations, and reputational damage.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05