Which SIEM platforms have a CVE-2025-48700 detection rule?

df00tech provides CVE-2025-48700 (Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700) (CVE-2025-48700)?

Detecting Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700) requires the following data sources: W3CIISLog, CommonSecurityLog, AzureDiagnostics.

What severity and confidence is the CVE-2025-48700 detection?

The CVE-2025-48700 detection is rated high severity with medium confidence.

What are common false positives for CVE-2025-48700?

Common false positives for CVE-2025-48700 include: Security scanner or WAF testing tools that probe for XSS vulnerabilities during authorized penetration tests; Legitimate email content containing HTML that resembles XSS patterns when logged by the web server; Automated vulnerability assessment tools running against Zimbra infrastructure.

CVE-2025-48700 Detection: Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let ZimbraHosts = dynamic(["zimbra", "webmail", "mail"]);
let XSSPatterns = dynamic(["<script", "javascript:", "onerror=", "onload=", "eval(", "document.cookie", "document.location", "window.location", "String.fromCharCode", "atob(", "btoa("]);
let ZimbraXSSPaths = dynamic(["/zimbra/", "/service/soap", "/h/", "/m/", "/B6/"]);
union
  (
    W3CIISLog
    | where csUriStem has_any (ZimbraXSSPaths)
    | where csUriQuery has_any (XSSPatterns) or csReferer has_any (XSSPatterns)
    | project TimeGenerated, Computer, csUriStem, csUriQuery, csReferer, csUsername, cIP = c_ip, scStatus = sc_status, csUserAgent = cs_User_Agent
  ),
  (
    CommonSecurityLog
    | where DeviceProduct has_any ("Zimbra", "ZCS")
    | where RequestURL has_any (XSSPatterns) or Message has_any (XSSPatterns)
    | project TimeGenerated, Computer = DeviceName, csUriStem = RequestURL, csUriQuery = RequestURL, csReferer = "", csUsername = DestinationUserName, cIP = SourceIP, scStatus = tostring(EventOutcome), csUserAgent = RequestClientApplication
  )
| where scStatus in ("200", "302", "301") or isempty(scStatus)
| summarize
    RequestCount = count(),
    UniqueXSSPayloads = dcount(csUriQuery),
    SamplePayloads = make_set(csUriQuery, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by cIP, csUsername, Computer, bin(TimeGenerated, 5m)
| where RequestCount >= 1
| extend Severity = "High", CVE = "CVE-2025-48700"

Detects XSS payload patterns in Zimbra web server access logs and common security log sources. Looks for script injection markers in URI parameters and referrer headers targeting Zimbra-specific URL paths.

high severity medium confidence

Data Sources

W3CIISLog CommonSecurityLog AzureDiagnostics

Required Tables

W3CIISLog CommonSecurityLog

False Positives

Security scanner or WAF testing tools that probe for XSS vulnerabilities during authorized penetration tests
Legitimate email content containing HTML that resembles XSS patterns when logged by the web server
Automated vulnerability assessment tools running against Zimbra infrastructure
Browser auto-fill or bookmark data containing special characters that match XSS heuristics

Splunk

spl

index=web OR index=proxy OR index=zimbra sourcetype IN ("access_combined", "iis", "zimbra:access", "pan:traffic")
(uri_path IN ("/zimbra/*", "/service/soap*", "/h/*", "/m/*")
 OR dest_host IN ("zimbra", "webmail", "mail"))
(
  uri_query IN ("*<script*", "*javascript:*", "*onerror=*", "*onload=*", "*eval(*", "*document.cookie*", "*document.location*", "*String.fromCharCode*", "*atob(*")
  OR http_referrer IN ("*<script*", "*javascript:*", "*onerror=*", "*onload=*")
  OR uri IN ("*%3Cscript*", "*%6A%61%76%61%73%63%72%69%70%74*", "*&#x3C;script*")
)
status IN (200, 301, 302, 400)
| eval xss_indicator=case(
    match(uri_query, "(?i)<script"), "raw_script_tag",
    match(uri_query, "(?i)javascript:"), "javascript_proto",
    match(uri_query, "(?i)onerror|onload|onmouseover"), "event_handler",
    match(uri_query, "(?i)document\.cookie"), "cookie_theft",
    match(uri_query, "(?i)eval\\("), "eval_function",
    1=1, "url_encoded_xss"
  )
| stats
    count AS request_count,
    dc(uri_query) AS unique_payloads,
    values(xss_indicator) AS indicators,
    values(uri_query) AS sample_payloads,
    min(_time) AS first_seen,
    max(_time) AS last_seen
    BY src_ip, http_user_name, dest_host, span(_time, 5m)
| where request_count >= 1
| eval cve="CVE-2025-48700", severity="high"

Detects XSS exploitation attempts against Zimbra web endpoints by searching for common XSS payload patterns including script tags, javascript: protocol handlers, event handlers, and URL-encoded variants in access logs.

high severity medium confidence

Data Sources

Web proxy logs Zimbra access logs IIS logs Palo Alto traffic logs

Required Sourcetypes

access_combined iis zimbra:access

False Positives

Authorized penetration testing or vulnerability scanning against Zimbra infrastructure
Email content with HTML entities that get logged in web access logs
Third-party integrations that pass encoded data through Zimbra URL parameters
Security monitoring tools that replay captured XSS payloads for testing

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=10m
  [network where
    url.path : ("/zimbra/*", "/service/soap*", "/h/*", "/m/*") and
    (
      url.query : ("*<script*", "*javascript:*", "*onerror=*", "*onload=*", "*eval(*", "*document.cookie*") or
      url.query : ("*%3Cscript*", "*%6A%61%76%61%73%63%72%69%70%74*") or
      http.request.referrer : ("*<script*", "*javascript:*", "*onerror=*")
    ) and
    http.response.status_code in (200, 301, 302)
  ]
  [network where
    url.path : ("/zimbra/*", "/service/*") and
    http.response.status_code == 200
  ]

EQL sequence detection that identifies an XSS payload injection followed by a successful Zimbra request from the same source IP within 10 minutes, suggesting active exploitation with session manipulation.

high severity medium confidence

Data Sources

Elastic SIEM Filebeat web logs Packetbeat

Required Tables

logs-* filebeat-* packetbeat-*

False Positives

Security researchers or automated scanners probing Zimbra endpoints during authorized tests
Encoded email attachments with HTML content that match XSS patterns in network captures
Load balancer health checks that include special characters in request paths
Browser extensions that modify requests and include script-like content in headers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  URL,
  referrerURL,
  responseCode,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Nginx', 'Zimbra')
  AND (
    URL IMATCHES '.*(/zimbra/|/service/soap|/h/|/m/).*'
    OR LOGSOURCETYPENAME(devicetype) = 'Zimbra'
  )
  AND (
    URL IMATCHES '.*(<script|javascript:|onerror=|onload=|eval\(|document\.cookie|document\.location|String\.fromCharCode|atob\().*'
    OR URL IMATCHES '.*(\%3Cscript|\%6A\%61\%76\%61|&#x3C;).*'
    OR referrerURL IMATCHES '.*(<script|javascript:|onerror=|onload=).*'
  )
  AND responseCode IN (200, 301, 302, 400)
  AND LOGSOURCESTARTTIME(logsourceid) > NOW() - 3600000
ORDER BY devicetime DESC
LIMIT 1000

QRadar AQL query that identifies XSS payload patterns in HTTP request URLs and referrer headers targeting Zimbra web paths, covering both raw and URL-encoded XSS variants.

high severity medium confidence

Data Sources

QRadar SIEM Web server log sources Proxy log sources

Required Tables

events

False Positives

Automated vulnerability scanners running authorized assessments against Zimbra
Email campaign tracking URLs that contain encoded characters resembling XSS
Custom Zimbra zimlets or integrations that pass HTML content through URL parameters
Web application firewall logs that capture blocked XSS attempts from external sources

Sumo Logic CSE

sql

_sourceCategory=web/access OR _sourceCategory=zimbra/access
| where (%"cs-uri-stem" matches "/zimbra/*" or %"cs-uri-stem" matches "/service/soap*" or %"cs-uri-stem" matches "/h/*" or %"cs-uri-stem" matches "/m/*" or _sourceCategory matches "*zimbra*")
| where (
    (%"cs-uri-query" matches "*<script*" or %"cs-uri-query" matches "*javascript:*" or %"cs-uri-query" matches "*onerror=*" or %"cs-uri-query" matches "*onload=*" or %"cs-uri-query" matches "*eval(*" or %"cs-uri-query" matches "*document.cookie*")
    or (%"cs-uri-query" matches "*%3Cscript*" or %"cs-uri-query" matches "*%6A%61%76%61%73%63%72%69%70%74*")
    or (%"cs-referer" matches "*<script*" or %"cs-referer" matches "*javascript:*" or %"cs-referer" matches "*onerror=*")
  )
| where %"sc-status" in ("200", "301", "302", "400")
| parse field=%"cs-uri-query" "*" as payload
| timeslice 5m
| stats
    count as request_count,
    dcount(%"cs-uri-query") as unique_payloads,
    values(%"cs-uri-query") as sample_payloads,
    values(%"c-ip") as source_ips
    by _timeslice, %"c-ip", %"cs-username", %"cs-host"
| where request_count >= 1
| fields - _timeslice
| sort by request_count desc

Sumo Logic query to detect XSS injection attempts against Zimbra web interfaces by analyzing access log fields for known XSS payload patterns in query strings and referrer headers.

high severity medium confidence

Data Sources

Sumo Logic web access logs Zimbra access logs IIS/Apache logs forwarded to Sumo Logic

Required Tables

web/access zimbra/access

False Positives

Penetration testing tools performing automated XSS scans against Zimbra
Legitimate HTML email content that gets URL-encoded and logged in access logs
Third-party OAuth or SSO integrations that pass token data through Zimbra parameters
Security awareness training platforms that demonstrate XSS via Zimbra test instances

Google Chronicle / SecOps

yaral

rule zimbra_xss_cve_2025_48700 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects XSS exploitation attempts against Zimbra Collaboration Suite (CVE-2025-48700)"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-48700"
    cve = "CVE-2025-48700"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.network.http.request_url, `(?i)(/zimbra/|/service/soap|/h/|/m/)`)
      or re.regex($e.target.hostname, `(?i)(zimbra|webmail)`)
    )
    (
      re.regex($e.network.http.request_url, `(?i)(<script|javascript:|onerror=|onload=|eval\(|document\.cookie|document\.location|String\.fromCharCode|atob\()`)
      or re.regex($e.network.http.request_url, `(%3Cscript|%6A%61%76%61%73%63%72%69%70%74|&#[xX]3[cC])`)
      or re.regex($e.network.http.referral_url, `(?i)(<script|javascript:|onerror=|onload=)`)
    )
    $e.network.http.response_code in (200, 301, 302, 400)

  match:
    $e.principal.ip over 10m

  outcome:
    $risk_score = max(
      if($e.network.http.response_code = 200, 80, 50)
    )
    $xss_payloads = array_distinct($e.network.http.request_url)
    $target_hosts = array_distinct($e.target.hostname)
    $source_ips = array_distinct($e.principal.ip)

  condition:
    #e >= 1
}

Chronicle YARA-L 2.0 rule that detects XSS payload patterns in HTTP requests targeting Zimbra URL paths, matching both raw and URL-encoded XSS variants in request URLs and referrer headers.

high severity medium confidence

Data Sources

Chronicle SIEM Web proxy UDM events Network HTTP events

Required Tables

NETWORK_HTTP

False Positives

Authorized red team exercises targeting Zimbra infrastructure that generate XSS payloads
Email security gateway scanning that generates test XSS payloads in log entries
Legitimate Zimbra admin operations involving HTML content in URL parameters
Third-party integrations using Zimbra APIs that pass encoded data resembling XSS patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkReceiveAcceptIP4
| CommandLine = /zimbra|webmail/
| event_platform = "Lin"
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "::1"

// Also check for suspicious process execution on Zimbra host following web request
| join (
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2)
    | ImageFileName IN ("/opt/zimbra/*", "/usr/lib/zimbra/*")
    | CommandLine = /<script|javascript:|eval\(|document\.cookie|onerror=|onload=/
    BY aid, TargetProcessId
  )
  BY aid

| groupby([aid, RemoteAddressIP4, UserName, CommandLine, ImageFileName],
    function=[
      count(as=event_count),
      min(timestamp, as=first_seen),
      max(timestamp, as=last_seen),
      collect(CommandLine, limit=5, as=sample_commands)
    ]
  )
| where event_count >= 1
| eval cve="CVE-2025-48700", severity="high"
| sort(first_seen, order=desc)

CrowdStrike Falcon LogScale CQL query to detect XSS-related activity on Zimbra server hosts by correlating network connection events with suspicious process execution containing XSS payload patterns.

high severity low confidence

Data Sources

CrowdStrike Falcon EDR Network connection events Process execution events

Required Tables

NetworkConnectIP4 ProcessRollup2 SyntheticProcessRollup2

False Positives

Automated security scanning tools running on or against Zimbra server infrastructure
Zimbra administrative scripts that process HTML content containing script-like patterns
Log analysis tools that parse Zimbra logs containing XSS payload entries from blocked attempts
Development or staging Zimbra instances used for security testing with XSS payloads

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-48700 Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-48700

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox