CVE-2024-27443 Synacor CVE debrief

Who should care

Email and collaboration platform administrators, security operations teams, and vulnerability managers responsible for Synacor Zimbra Collaboration Suite (ZCS) deployments.

Technical summary

The supplied corpus identifies CVE-2024-27443 as a cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CISA added it to the Known Exploited Vulnerabilities catalog on 2025-05-19 and references vendor security-fix releases for 8.8.15 P46, 9.0.0 P39, and 10.0.7. The corpus does not provide a CVSS score or additional exploitation details.

Defensive priority

Urgent

Recommended defensive actions

• Inventory all Synacor Zimbra Collaboration Suite (ZCS) instances across production, test, and externally reachable environments.
• Apply the vendor security fixes referenced by CISA for the applicable ZCS release train: 8.8.15 P46, 9.0.0 P39, or 10.0.7.
• If mitigations cannot be applied promptly, follow CISA's KEV guidance to mitigate per vendor instructions, follow BOD 22-01 for cloud services where applicable, or discontinue use if mitigations are unavailable.
• Verify that remediation is complete on all exposed ZCS systems and that the vulnerable condition is no longer present.
• Track closure against the CISA KEV due date of 2025-06-09 and document evidence of remediation.

Evidence notes

Source corpus and official links identify CVE-2024-27443 as a Zimbra Collaboration Suite XSS issue added to CISA KEV on 2025-05-19 with a mitigation due date of 2025-06-09. The CISA KEV source item references Synacor/Zimbra security-fix pages for 8.8.15 P46, 9.0.0 P39, and 10.0.7, plus the NVD detail page. The corpus does not supply a CVSS score, and ransomware-campaign use is marked Unknown.

Official resources