ctipilot.ch
← Back to the live brief
NOTABLENATOA2vulnerability

Zimbra Classic Web Client: crafted-email code execution fixed in ZCS 10.1.19, surfaced by NCSC-CH (no CVE, exploitation unknown)

discovered 2026-07-10 20:34 UTCrun 2026-07-10T2009Z-intel3 sourcesmulti-source

Zimbra released ZCS 10.1.19 on 2026-07-07 to fix a Classic Web Client issue in which "a specially crafted email could run malicious code when the email is opened," potentially granting access to mailbox information, session data or account settings (Zimbra, 2026-07-07); heise online covered it the same day as a stored cross-site-scripting flaw in the legacy webmail UI (heise online, 2026-07-07). Switzerland's NCSC-CH added the item to its Cyber Security Hub on 2026-07-10, describing it as allowing unauthenticated remote attackers to reach session data, account settings and mailbox contents when a victim opens a malicious email, and explicitly recording the exploitation status as unknown (NCSC-CH / GovCERT.ch, 2026-07-10). Only the Classic Web Client is affected; Zimbra and heise recommend switching users to the Modern Web Client as an interim mitigation.

The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened. If exploited, it could allow access to mailbox information, session data, or account settings.

Zimbra 2026-07-07

Current exploitation status: UNKNOWN

NCSC-CH / GovCERT.ch 2026-07-10

Defender actions

  • Identify Zimbra tenants still using the Classic Web Client and upgrade to ZCS ≥ 10.1.19; as an immediate interim step, move users to the Modern Web Client, which is not affected.
  • Prioritise internet-facing Zimbra webmail — the flaw is unauthenticated and triggers on message open, so exposure is proportional to who can send mail to affected mailboxes.

ATT&CK mapping

3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1059.007Command and Scripting Interpreter: JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

overlap matrix · ATT&CK page ↗

T1203Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1539Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.