Attackers can send unauthorized requests to internal services that are normally protected by firewalls.

Insufficient validation of user-supplied URLs within a Zimbra application component. Technical Impact

If immediate patching is impossible, ensure that the WebEx Zimlet JSP functionality is disabled unless strictly necessary.

A successful exploit can lead to serious consequences, including:

In some scenarios, it may be possible to steal login credentials or inject malware through chained exploits. Current Threat Status

While the vulnerability was first identified in 2020, it remains a major threat. , citing active exploitation in the wild. Organizations were given a due date of March 10, 2026, to apply mitigations. Affected Versions