The flaw resides in Zimbra’s webmail interface’s GraphQL endpoint (/service/extension/graphql), where improper CSRF token validation enables malicious actors to manipulate authenticated users into triggering unintended actions. Zimbra confirmed the vulnerability impacts all ZCS releases from 9.0 up to 10.1.3. Patches are available in ZCS 10.1.4, which enforces CSRF token validation for all GraphQL requests. In this case, the absence of anti-CSRF tokens in Zimbra’s GraphQL API permits attackers to craft malicious web pages or emails that force victims’ browsers to submit forged requests. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A proof-of-concept exploit demonstrated that a single malicious HTTP POST request could compromise an account if the victim visits a booby-trapped page while logged into Zimbra. The company’s advisory urges administrators to prioritize upgrades, noting that “CSRF vulnerabilities in mission-critical email systems create lateral movement opportunities in enterprise networks”. Zimbra administrators should apply patches immediately and consider third-party monitoring solutions to detect anomalous GraphQL activity. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. With Zimbra powering over 200,000 enterprise email servers globally, unpatched instances remain prime targets for phishing campaigns and data exfiltration. The vulnerability is particularly severe because Zimbra’s GraphQL API handles high-privilege operations without secondary authentication checks. Zimbra’s security team credited researcher 0xf4h1m for discovering the flaw through the Zero Day Initiative. She is covering various cyber security incidents happening in the Cyber Space.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Apr 2025 09:10:21 +0000