A cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) is being actively exploited by a Russian advanced persistent threat (APT) group targeting Ukraine. The flaw, identified as CVE-2025-66376, affects ZCS versions 10 before 10.0.18 and 10.1 before 10.1.13. It allows attackers to execute stored XSS attacks via CSS @import directives embedded in HTML email messages.
The vulnerability, which has a CVSS score of 6.1, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026, indicating its active exploitation in the wild. The exploitation of this vulnerability was observed within 72 days of its disclosure, highlighting the rapid pace at which threat actors are leveraging newly discovered flaws.
The attack vector involves crafting malicious emails that, when viewed in the Classic UI of Zimbra, can execute arbitrary scripts in the context of the user's session. This can lead to unauthorized actions such as data theft or further compromise of the affected systems.
Zimbra has released patches to address this vulnerability, urging users to update to versions 10.0.18 or 10.1.13 and later. Organizations using Zimbra Collaboration should prioritize these updates to mitigate the risk of exploitation. Additionally, security teams should monitor for any signs of compromise and review email filtering rules to block potentially malicious content.
Given the geopolitical implications and the involvement of a state-sponsored actor, organizations in Ukraine and those with ties to the region should remain vigilant and enhance their security postures accordingly.
CSURFACE