Google's TAG Reported the Zimbra Bug That Got Patched Today. That's the Tell. Assume a State Actor Already Has It.
- Patrick Duggan
- 35 minutes ago
- 3 min read
Zimbra pushed a patch today, July 10, for a critical stored cross-site-scripting flaw in its Classic Web Client. There is no CVE number assigned yet. The affected code is the Ajax webmail interface used by hundreds of millions of people, the fix is in ZCS 10.1.19, and the mechanics are the kind that do not require the victim to do anything wrong: a specially crafted email runs attacker JavaScript in your session the moment you open it, and from there it can lift your session data, your account settings, and your mailbox contents. Patch it. But the detail that should move this to the top of your list is not the severity. It is who found it.
Who reported it is the story
The flaw was reported by Google's Threat Analysis Group. TAG is not a general bug-bounty operation and it does not usually surface run-of-the-mill web bugs. TAG's specific mandate is tracking government-backed hacking and the zero-days those groups use in the wild. When a fix credits TAG, the reasonable prior is not "a researcher found a theoretical issue." It is "someone was already using this against real targets, and Google caught them doing it." The absence of an assigned CVE this early, combined with a TAG credit and a same-day vendor patch, is the shape of a quietly-exploited zero-day being closed, not a leisurely coordinated disclosure.
We are holding this at about ninety-five percent, because "TAG reported it" is not the same sentence as "confirmed exploited in the wild," and the advisory has not said the latter outright. But you do not get to wait for the second sentence. The threat model for a TAG-reported mail-client bug is a state actor, and the correct assumption for a state actor is that they had it before you did.
Zimbra has been a nation-state doorway all year
This is not a first for Zimbra, and it is not a coincidence that mail is the target. Zimbra Collaboration has been one of 2026's most reliable footholds for government-aligned crews, and the pattern is specifically cross-site scripting in the Classic UI — the same corner of the same product being hit again and again.
Earlier this year, CVE-2025-66376, a stored XSS in exactly this Classic UI, was exploited by APT28 — the Russian military-intelligence crew also known as Fancy Bear — against Ukrainian targets, using crafted emails to run code in webmail sessions. Before that, a local file inclusion flaw, CVE-2025-68645, drove a mass-scanning spike against Zimbra instances at the end of January. Our own catalog carries the longer lineage: the CalendarInvite XSS, the WebEx-zimlet SSRF, a string of Classic-UI scripting bugs stretching back years. Mail is where the intelligence lives — the correspondence, the contacts, the calendar that maps who meets whom — and a stored XSS that fires on open is the cleanest way to read someone else's mailbox without ever touching their password. Today's bug is the newest entry in a category that state actors have treated as a standing supply of doorways.
There is an old detail from where I grew up that fits this bug exactly. Lace curtains: the pattern lets the person outside see in, while the person inside sees only fabric. A webmail client compromised through the message you were simply meant to read is the same arrangement. The attacker watches everything through your window. You see your inbox.
What to do tonight
Upgrade to ZCS 10.1.19. The flaw only affects the Classic Web Client, so if your users are on the modern interface your exposure is narrower — but "narrower" is not "none," and the population still on Classic is exactly the long-lived, under-maintained deployment a state crew prefers. If you cannot patch immediately, the interim move for a stored-XSS-on-open bug is to steer users off the Classic UI and to be aggressive about HTML sanitization at the mail gateway.
Then hunt, because a TAG credit means the clock started before the patch did. Look for the things a session-stealing XSS leaves behind: mail rules or forwarding you did not create, session activity from addresses that do not match your users, quiet exfiltration of mailbox contents. If you run Zimbra and you serve anyone a government, a defense supplier, a journalist, an NGO in a contested region would find interesting, treat this as an active-intrusion assumption and not a maintenance ticket.
Held to about ninety-five percent. The disclosure and the catch belong to Google's Threat Analysis Group; the patch to Zimbra. What we add is the read on it: when TAG is the reporter, the bug was a weapon before it was an advisory.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
