CVE-2025-66376
published 2026-01-05CVE-2025-66376: Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an…
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-01
Exploited in the wild
EPSS
12.01%
95.6th percentile
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | >= 10.0.0 < 10.0.18 | 10.0.18 |
| synacor | zimbra_collaboration_suite | >= 10.1.0 < 10.1.13 | 10.1.13 |
| zimbra | collaboration | >= 10.0 < 10.0.18 | 10.0.18 |
| zimbra | collaboration | >= 10.1 < 10.1.13 | 10.1.13 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is delivered entirely within the HTML body of a single email — no attachments, no links, no macros. Detect malicious HTML emails containing CSS @import directives targeting Zimbra Classic UI users. ↗
- →The payload is an obfuscated JavaScript delivered via CSS @import directives in HTML email, executing silently in the browser when the email is opened in a vulnerable Zimbra Classic UI webmail session. ↗
- →Post-exploitation activity includes credential harvesting, session token theft, backup 2FA code exfiltration, browser-saved password theft, and mailbox content exfiltration going back 90 days. Monitor for anomalous DNS and HTTPS exfiltration from Zimbra servers. ↗
- →The attack vector is a stored XSS via CSS @import directives in HTML email rendered by the Zimbra Classic UI. Inspect inbound emails for CSS @import usage in HTML bodies as a detection signal. ↗
- →Campaign is tracked as 'Operation GhostMail' by Seqrite Labs; use this name to pivot on threat intelligence and correlate related APT28 activity targeting Ukrainian government entities. ↗
- ·Vulnerability affects Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 only. Versions 10.0.18+ and 10.1.13+ are patched. ↗
- ·The XSS is specific to the Classic UI of Zimbra webmail; users or deployments not using the Classic UI may not be directly exploitable via this vector. ↗
- ·Exploitation requires the victim to open the malicious email in a vulnerable Zimbra webmail session; the attack is triggered client-side in the browser. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
cisa·2026-03-18·CVSS 6.1
CVE-2025-66376 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376
Remediation Due Date: 2026-04-01
GHSA
GHSA-h7wg-85fj-3c6g: Zimbra Collaboration (ZCS) 10 before 10
ghsa_unreviewed·2026-01-05
CVE-2025-66376 [HIGH] CWE-79 GHSA-h7wg-85fj-3c6g: Zimbra Collaboration (ZCS) 10 before 10
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
vulncheck·2025·CVSS 7.2
CVE-2025-66376 [HIGH] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-04-01
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
blogs_bleepingcomputer·2026-04-24·CVSS 6.1
CVE-2025-48700 [MEDIUM] Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
## Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
## Sergiu Gatlan
Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver.
Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses.
The vulnerability (tracked as CVE-2025-48700 ) affects ZCS 8.8.15, 9.0, 10.0, and 10.1 and can allow unauthenticated attackers to access sensitive information after executing arbitrary JavaScript within the user's session.
Synacor released security patches to address the flaw in June 2025, when it warned that CVE
Hackernews
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2023-27351 [HIGH] CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2024-27199 (CVSS score: 7.3) -
Checkpoint
23rd March – Threat Intelligence Report
blogs_checkpoint·2026-03-23
CVE-2026-33017 23rd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits dat
Bleepingcomputer
Russian hackers exploit Zimbra flaw in Ukrainian govt attacks
blogs_bleepingcomputer·2026-03-19·CVSS 7.2
CVE-2025-66376 [HIGH] Russian hackers exploit Zimbra flaw in Ukrainian govt attacks
## Russian hackers exploit Zimbra flaw in Ukrainian govt attacks
## Sergiu Gatlan
Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainian government entities.
This high-severity security flaw (tracked as CVE-2025-66376 and patched in early November) stems from a stored cross-site scripting (XSS) that unauthenticated attackers can exploit to gain remote code execution (RCE) and compromise the Zimbra server and the target's email account.
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of vulnerabilities exploited in the wild . CISA also ordered Federal Civilian Executive Branch (
Bleepingcomputer
CISA orders feds to patch Zimbra XSS flaw exploited in attacks
blogs_bleepingcomputer·2026-03-18·CVSS 7.2
CVE-2025-66376 [HIGH] CISA orders feds to patch Zimbra XSS flaw exploited in attacks
## CISA orders feds to patch Zimbra XSS flaw exploited in attacks
## Sergiu Gatlan
CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS).
Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people worldwide, including thousands of businesses and hundreds of government agencies.
Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.
While Synacor (the company behind Zimbra) didn't share any details on the impact of a
Wiz
CVE-2025-67809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67809 [MEDIUM] CVE-2025-67809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67809 :
Zimbra Collaboration Server vulnerability analysis and mitigation
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
Source : NVD
## 4.7
Wiz
CVE-2025-68645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68645 [MEDIUM] CVE-2025-68645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68645 :
Zimbra Collaboration Server vulnerability analysis and mitigation
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Source : NVD
## 8.8
Score
Published December 22, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
Zimbra Collaboration Server
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 97.7
Exploitation Probabil
Wiz
CVE-2025-66376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66376 [MEDIUM] CVE-2025-66376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66376 :
Zimbra Collaboration Server vulnerability analysis and mitigation
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Source : NVD
## 6.1
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
Zimbra Collaboration Server
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 93
Exploitation Probability (EPSS) 10
Affected packages and libraries
cpe:2.3:a:zimbra:collaboration
Sources
NVD
Linux Severity MEDIUM Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376
2026-01-05
Published
2026-03-18
Added to CISA KEV
Exploited in the wild