What happened

CISA added CVE-2025-48700 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-04-20, signaling confirmed in-the-wild exploitation CISA KEV. The flaw is in Synacor Zimbra Collaboration Suite (ZCS) and is classified as cross-site scripting (CWE-79), enabling execution of arbitrary JavaScript in a user’s session NVD entry. CISA’s listing states the impact as potential unauthorized access to sensitive information and mandates action CISA KEV. Required action per CISA: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a remediation due date of 2026-04-23 CISA KEV. The CVE record is tracked by MITRE for canonical identification and metadata continuity MITRE CVE.

Why it matters

A KEV inclusion means active exploitation, not a theoretical risk CISA KEV. Cross-site scripting within an authenticated application context allows attacker-supplied JavaScript to run as the victim, within the victim’s session scope NVD entry. That enables unauthorized access to sensitive data the app exposes to that user, aligning with CISA’s stated impact for this CVE CISA KEV. Because execution occurs in the browser, traditional server-side controls won’t necessarily block post-exploitation actions that look like normal user activity; the attacker is effectively “inside” the user’s session boundary NVD entry.

Organizations running ZCS should assume user-targeting and session-bound exploitation paths are in play and prioritize mitigation inside CISA’s short window CISA KEV. Waiting for human triage gives an adversary more runtime to harvest data permissible to the compromised session NVD entry.

Technical detail

CVE-2025-48700 maps to CWE-79, improper neutralization of input during web page generation (“Cross-site Scripting��) NVD entry. In XSS-class flaws, untrusted input is embedded into a page response without sufficient sanitization/encoding; when a victim’s browser renders the page, attacker-controlled JavaScript executes in the origin context of the application NVD entry. For ZCS, CISA’s description explicitly notes arbitrary JavaScript execution in the user’s session with potential access to sensitive information, which defines the risk boundary for exploitation CISA KEV.

Practically, the attacker’s path looks like this:

• Deliver a crafted payload that the application reflects or renders into a user-visible context; upon rendering, the code executes as the user within the app’s origin NVD entry.
• The script then acts with the user’s privileges in that session (reading data available to the UI and issuing requests as the user), exposing sensitive information per CISA’s impact summary CISA KEV.
• Because the browser treats these requests as legitimate, downstream logs may show “valid” user actions unless client-side indicators are captured at execution time NVD entry.

No vendor patch details, versions, or exploit chain specifics are provided in the public records cited here; treat the class behavior (CWE-79) and CISA’s impact/KEV inclusion as the constraints for response planning MITRE CVE.

Defense

• Execute the KEV directive: apply vendor mitigations immediately; if mitigations are unavailable, follow applicable BOD 22-01 guidance for cloud services or discontinue use until risk is addressed CISA KEV.
• Honor CISA’s due date of 2026-04-23 and track remediation to closure; KEV entries are prioritized because exploitation is confirmed CISA KEV.
• Validate exposure by inventorying where ZCS is externally reachable and which user populations access it; prioritize internet-exposed instances where user sessions can be targeted NVD entry.
• After applying mitigations, verify that user interactions no longer execute untrusted scripts in the app origin and that sensitive data isn’t accessible via injected client-side code paths consistent with CWE-79 behavior NVD entry.

Lyrie Verdict

CVE-2025-48700 is a client-side execution problem in a user session boundary NVD entry that CISA confirms is being exploited now CISA KEV. That’s a perfect substrate for automated adversaries that live “in browser” and operate at UI speed. Human-in-the-loop review happens too late; once script runs, data exposure can occur inside the same render cycle NVD entry.

Lyrie treats KEV-listed XSS in user-facing suites as a machine-speed problem: prioritize autonomous detection of session-scoped script execution anomalies and origin-consistent but behaviorally abnormal requests the instant they occur, then enforce pre-authorization controls while the session is hot. That’s how you contain script-driven data access before it turns into bulk loss.