What happened

CISA added CVE-2024-27443 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-05-19, establishing a remediation due date of 2025-06-09 for U.S. Federal agencies CISA KEV. The vulnerability affects Synacor Zimbra Collaboration Suite (ZCS) and is categorized as cross-site scripting (XSS) NVD entry. The flaw resides in the CalendarInvite feature of the classic Zimbra webmail UI, and it can be exploited via an email message containing a crafted calendar header, resulting in arbitrary JavaScript execution in the user’s session NVD entry. CISA’s listing confirms observed exploitation in the wild and mandates action under Binding Operational Directive (BOD) 22-01 timelines for agencies in scope CISA KEV. The CVE record is also maintained by MITRE for authoritative identification and cross-references MITRE CVE.

Why it matters

When a KEV entry appears, it signals active threat actor use against real targets rather than a theoretical risk, which elevates operational urgency for patching and validation CISA KEV. XSS inside a webmail client enables attacker-supplied JavaScript to run in the context of the victim’s mailbox UI when the malicious calendar content is processed, expanding the attacker’s options for post-exploitation actions inside that browser session NVD entry. Because the vector is delivered via an email with a crafted calendar header against the classic Zimbra webmail interface, the exploit chain cuts across mail flow and browser rendering, complicating detection if teams rely only on perimeter malware scanning NVD entry. Agencies bound by BOD 22-01 must remediate this CVE on the CISA KEV clock or implement compensating controls consistent with the directive’s guidance CISA KEV.

Technical detail

CVE-2024-27443 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical XSS weakness category mapping for client-side script injection in web applications NVD entry. The vulnerable surface is the CalendarInvite feature within Zimbra’s classic webmail UI, which fails to properly handle attacker-controlled data embedded in a calendar header, enabling arbitrary JavaScript execution on render NVD entry. The exploitation path relies on an email message as the delivery vehicle, with the crafted header triggering the script execution when processed by the application NVD entry. The authoritative CVE registration maintained by MITRE confirms the identifier and ties it to the same XSS description and affected product lineage for Synacor Zimbra Collaboration Suite (ZCS) MITRE CVE. CISA’s KEV entry names ZCS explicitly and documents that exploitation has been observed, which is the threshold for KEV inclusion CISA KEV.

Defense

CISA’s required action is unambiguous: apply vendor mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable CISA KEV. Prioritize remediation of CVE-2024-27443 in asset tracking and patch workflows as a KEV item, and ensure completion by the CISA-imposed due date for in-scope environments CISA KEV. Security teams should use the CVE record as the canonical tracking handle across tickets and detections to maintain fidelity during triage and closure MITRE CVE. Monitor authoritative vulnerability metadata sources for updates or changes in status while remediation proceeds, including NVD for standardized references and mappings NVD entry. Treat any observed attempts to deliver calendar-invite–related payloads targeting Zimbra classic UI as indicators of attack consistent with the exploitation path summarized by the CVE entry NVD entry. Where compensating controls are needed temporarily, ensure they align with BOD 22-01 expectations for risk reduction while you complete corrective actions CISA KEV.

Lyrie Verdict

This is an email-to-browser exploit chain: a crafted calendar header delivered by mail results in JavaScript executing inside Zimbra’s classic webmail UI when processed NVD entry. That cross-channel path rewards adversaries who count on slow, manual correlation between messaging telemetry and client-side behavior, which is why we instrument autonomous, machine-speed detection at both the mail and UI layers. Lyrie continuously profiles render-time behaviors tied to known exploited CVEs like CVE-2024-27443 to surface DOM-script execution anomalies that align with calendar invite processing semantics without waiting for user-reported symptoms CISA KEV. We bind detections and suppression logic to the canonical CVE handle so that response policies track the exact exploit surface described by the authoritative records MITRE CVE. Bottom line: this is prime territory for autonomous, UI-aware defense—Lyrie detects and responds at machine speed as the malicious invite content is rendered, closing the window attackers target in this KEV-listed Zimbra XSS NVD entry.