Cyber Resilience

CVE-2026-33373

High

Published: 30 March 2026

Published
30 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0020 10.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33373 is a high-severity CSRF (CWE-352) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33373 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1, specifically in the Zimbra Web Client. The issue arises because authentication tokens issued during certain account state transitions, such as enabling two-factor authentication or changing a password, lack CSRF protection. While these tokens are active, authenticated SOAP requests that trigger token generation or state changes can bypass CSRF validation, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An unauthenticated attacker (PR:N) can exploit this vulnerability by tricking an authenticated victim into submitting crafted requests through social engineering or malicious websites, requiring user interaction (UI:R). Successful exploitation enables the attacker to perform sensitive account actions on the victim's behalf, such as disabling two-factor authentication, potentially leading to high confidentiality, integrity, and availability impacts.

Zimbra advisories recommend upgrading to patched versions, including ZCS 10.0.18 and 10.1.13, which address the issue through security fixes that ensure CSRF protection is consistently enforced for all issued authentication tokens. Additional details are available in the Zimbra Security Center and Responsible Disclosure Policy on their wiki.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated…

more

after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1556.006 Multi-Factor Authentication Defense Impairment
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Why these techniques?

CSRF enables account auth changes (disable MFA) via malicious link/social engineering requiring user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68645Same product: Synacor Zimbra Collaboration Suite
CVE-2025-66376Same product: Synacor Zimbra Collaboration Suite
CVE-2025-27915Same product: Synacor Zimbra Collaboration Suite
CVE-2025-25064Same product: Synacor Zimbra Collaboration Suite
CVE-2026-27858Same product class: email / collaboration
CVE-2026-41347Shared CWE-352
CVE-2025-59028Same product class: email / collaboration
CVE-2022-41082Same product class: email / collaboration
CVE-2022-41040Same product class: email / collaboration
CVE-2026-27857Same product class: email / collaboration

Affected Assets

synacor
zimbra collaboration suite
10.0.0 — 10.0.18 · 10.1.0 — 10.1.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to protect session authenticity, such as CSRF tokens, addressing the lack of CSRF enforcement on authentication tokens issued during account state transitions like enabling or disabling 2FA.

prevent

Mandates validation of inputs to authenticated SOAP requests, ensuring CSRF tokens are checked to block forged cross-site requests that trigger sensitive account actions.

prevent

Requires re-authentication for privileged operations like password changes or 2FA modifications, adding a barrier against CSRF exploitation since attackers cannot supply victim credentials.

References