Russian APT Exploits Zimbra Vulnerability Against Ukraine
Russian state-sponsored APT28 is actively exploiting CVE-2025-66376, a high-severity stored XSS vulnerability in Zimbra Collaboration, to target Ukrainian critical infrastructure. The flaw allows attackers to inject malicious JavaScript into emails that harvests credentials, session tokens, 2FA codes, and mailbox contents when opened. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating patching within two weeks for federal agencies.
Summary
Russian state-sponsored APT28 is actively exploiting CVE-2025-66376, a high-severity stored XSS vulnerability in Zimbra Collaboration, to target Ukrainian critical infrastructure. The flaw allows attackers to inject malicious JavaScript into emails that harvests credentials, session tokens, 2FA codes, and mailbox contents when opened. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating patching within two weeks for federal agencies.
Full text
A Russian state-sponsored threat actor has exploited a high-severity XSS vulnerability in Zimbra Collaboration in attacks against Ukraine, security researchers warn. The flaw, tracked as CVE-2025-66376 (CVSS score of 7.2) and affecting the collaboration software suite’s Classic UI, was addressed in November 2025, in Zimbra versions 10.1.13 and 10.0.18. The stored XSS bug could allow attackers to abuse Cascading Style Sheets (CSS) @import directives in email HTML, Zimbra notes in its advisory. Insufficient sanitization of CSS content within HTML email messages could allow attackers to reference external resources or to inject inline scripts that would be executed when the recipient opens the message in a browser. The successful exploitation of the bug for remote code execution (RCE) allows threat actors to compromise the recipient’s email account and the Zimbra environment. On Wednesday, the US cybersecurity agency CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within two weeks, as mandated by Binding Operational Directive (BOD) 22-01.Advertisement. Scroll to continue reading. While CISA has not shared details on the observed attacks, Seqrite Labs reports that Russian state-sponsored threat actors have been exploiting it in attacks against Ukraine. As part of the observed attacks, JavaScript code embedded in the email body would detonate when the message was opened, to steal information from the victims’ mailboxes. “The script executes silently in the browser and begins harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and the contents of the victim’s mailbox going back 90 days with all the data exfiltrated over both DNS and HTTPS,” Seqrite Labs explains. A critical national infrastructure entity responsible for maritime and hydrographic support of shipping received the phishing email on January 22. The email came from a likely compromised account belonging to a student of Ukraine’s National Academy of Internal Affairs (NAVS). Seqrite Labs, which named the campaign Operation GhostMail, believes that APT28, a highly sophisticated Russian APT also tracked as Forest Blizzard, Fancy Bear, GruesomeLarch, and Sofacy, is responsible for the attacks. Users are advised to update their Zimbra deployments as soon as possible, as vulnerabilities in the collaboration software suite are often targeted by threat actors. In January, a local file inclusion (LFI) issue in the appliance’s webmail UI was flagged as exploited in highly targeted, intelligence-driven campaigns. Related: Critical Zimbra Vulnerability Exploited One Day After PoC Release Related: CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Related: ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors Related: CISA Flags Year-Old Wing FTP Vulnerability as Exploited Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsManifold Raises $8 Million for AI Detection and ResponseApple Debuts Background Security Improvements With Fresh WebKit PatchesTech Giants Invest $12.5 Million in Open Source SecurityRobotic Surgery Giant Intuitive Discloses Cyberattack174 Vulnerabilities Targeted by RondoDox BotnetTracebit Raises $20M for Cloud-Native Deception Technology Latest News Security Firm Aura Discloses Data Breach Impacting 900,000 RecordsHacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEORaven Emerges From Stealth With $20 Million in FundingCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksThe Collapse of Predictive Security in the Age of Machine-Speed AttacksAutonomous Offensive Security Firm XBOW Raises $120M at $1B+ ValuationCloud Security Startup Native Exits Stealth With $42 Million in Funding Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveSecurityBridge has promoted Holger Hügel to Chief Technology Officer.Armis has appointed Simon Mouyal as Chief Marketing Officer.Omada has named Jakob H. Kraglund as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2025-66376
- malware — APT28
- malware — Operation GhostMail