CVE-2025-48700 Synacor CVE debrief

Who should care

Organizations running Synacor Zimbra Collaboration Suite (ZCS), especially messaging, collaboration, and security teams responsible for patching or mitigation.

Technical summary

CISA's Known Exploited Vulnerabilities catalog identifies CVE-2025-48700 as a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS). The catalog entry marks it as known exploited and instructs defenders to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The supplied corpus does not include CVSS metrics, affected versions, or additional technical details.

Defensive priority

Urgent. This is a CISA KEV-listed issue with a near-term due date, so remediation or mitigation should be prioritized immediately.

Recommended defensive actions

• Review Synacor/Zimbra official security guidance and apply the vendor-recommended mitigation or fix as soon as possible.
• If a mitigation is not available, follow CISA guidance and discontinue use of the product until the risk can be reduced.
• For cloud-hosted deployments, follow applicable BOD 22-01 guidance.
• Track remediation against the CISA KEV due date of 2026-04-23 and verify that all ZCS instances are covered.

Evidence notes

The supplied corpus contains a CISA KEV JSON entry dated 2026-04-20 for CVE-2025-48700, naming it as a Synacor Zimbra Collaboration Suite (ZCS) cross-site scripting vulnerability and marking it as known exploited. It also supplies the CISA-required action text and links to the CVE record, NVD detail page, and CISA KEV catalog. No CVSS score, affected-version list, or vendor advisory text was provided.

Official resources