• A new vulnerability has been disclosed in Zimbra email suite that allows an unauthenticated attacker to steal credentials of user without any user interaction.

• The attacker can consequently access victim’s mailboxes, potentially escalate their accesses to the targeted organizations and gain access to various internal services and steal highly sensitive information.

• With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.

• The vulnerability impacts Zimbra releases 8.8.x and 9.x for both open-source and the commercial versions of the platform.