CVE-2025-48700 — Zimbra Collaboration Suite Under Active Exploitation, 10,500+ Servers Exposed

CVE-2025-48700 — Zimbra Collaboration Suite Under Active Exploitation, 10,500+ Servers Exposed

CVE-2025-48700: Zimbra XSS active exploitation

CVE-2025-48700 is a cross-site scripting vulnerability affecting Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1. CISA added the vulnerability to KEV on 20 April 2026, confirming evidence of in-the-wild exploitation. Synacor released patches in June 2025, but exposure remains material.

Shadowserver's 21 April scan identified 10,793 exposed ZCS instances still running vulnerable versions: 3,793 in Europe, 3,794 in Asia, and 1,759 in North America.

As an XSS flaw, exploitation can enable attacker-controlled script execution in the context of a user's vulnerable Zimbra session, creating session hijacking and data exposure risk when attacker-controlled content is processed.

KEV status matters because it moves the issue from theoretical risk to confirmed exploitation. For private-sector organisations, the operational signal is clear: inventory exposed Zimbra systems, verify patch status, and reduce external exposure where patching cannot be completed immediately.

CVE-2026-41651: Pack2TheRoot PackageKit local privilege escalation

CVE-2026-41651, known as Pack2TheRoot, is a time-of-check to time-of-use race condition in PackageKit affecting versions 1.0.2 through 1.3.4. It allows an unprivileged local user to install arbitrary RPM packages as root, including packages with malicious scriptlets.

PackageKit v1.3.5 was released on 22 April 2026. No active exploitation was confirmed in this sweep, but the twelve-year persistence window makes this relevant for developer workstations, shared Linux systems, and multi-tenant environments.

UNC6692 "Snow": Teams helpdesk impersonation campaign

Mandiant reports an active UNC6692 campaign using email bombing followed by Microsoft Teams helpdesk impersonation. Victims are persuaded to install a supposed patch that deploys SnowBelt, SnowBasin, and SnowGlaze malware components.

The defensive lesson is tenant and user-process focused: organisations using Teams for support should review external contact settings, helpdesk verification workflows, and user reporting paths for suspicious support requests.

Trigona uploaderclient.exe: low-confidence exfiltration tooling report

Symantec reports Trigona ransomware affiliates using a custom Windows exfiltration utility named uploaderclient.exe. This remains LOW confidence / UNVERIFIED in this bundle because it is based on a single source and lacks government or second-vendor corroboration.

Treat it as a watch item for ransomware tradecraft, not as a fully corroborated campaign signal.

• Recommended Actions
• Immediate: Verify all Zimbra Collaboration Suite instances and patch CVE-2025-48700 where applicable. If an instance is unpatched and external-facing, restrict access until remediation is complete.
• Within 48 hours: Audit PackageKit versions on Linux systems and update affected hosts to v1.3.5 or distribution-provided fixed packages.
• This week: Review Microsoft Teams external contact and helpdesk verification controls.
• Monitor: Track CISA, vendor, and exposure-scan updates for Zimbra; track corroboration for the Trigona custom tool.

All findings are grounded in the 26 April 2026 source set.