🟡 CVE-2025-66376

CVE-2025-66376 is a stored XSS vulnerability in Zimbra Collaboration's Classic UI that allows remote attackers to execute malicious scripts via CSS @import directives in HTML emails. This vulnerability affects internet-facing email servers and has been actively exploited by Russian APT groups.

← Back to Overview
MEDIUM_RISK
Risk Level
7.2
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-05

Added to CISA KEV: 2026-03-18 72 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-18)

CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability affecting Zimbra Collaboration Suite (ZCS) Classic UI [1][2]. The vulnerability arises from the use of CSS `@import` directives within HTML email messages [1][2].

Regarding exploitation:

  • Internet-facing applications/services: The vulnerability is present in Zimbra Collaboration Suite, which is often used for email services and may be internet-facing [1][2].
  • Evidence of active exploitation: There is evidence suggesting active exploitation in the wild [6]. Specifically, a Russian APT campaign, dubbed "Operation GhostMail," has been observed exploiting CVE-2025-66376 to target a Ukrainian government agency through phishing emails and browser-based data exfiltration [3].
  • Attack vectors and exploitation methods: The attack vector involves sending specially crafted HTML emails containing CSS `@import` directives. When a user views such an email in the Classic UI, the malicious script can be executed [1][2]. The exploitability is described as easy, and the attack can be launched remotely [5].
  • Targeted attacks: Yes, CVE-2025-66376 has been used in targeted attacks, as demonstrated by the "Operation GhostMail" campaign against a Ukrainian government agency [3].
  • CISA Known Exploited Vulnerabilities (KEV) status: As of the latest available information, CVE-2025-66376 is not listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog [4][9].
  • Technical details about internet exploitability: The vulnerability lies in the handling of CSS `@import` directives within HTML emails in the Classic UI of Zimbra Collaboration Suite [1][2]. This allows for stored XSS, meaning malicious scripts are stored on the server and executed when a user accesses the affected content [2]. The attack complexity is low, and it requires no privileges to exploit, making it accessible to remote attackers [5][8].
Affected versions include Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 [1]. Red Hat has stated that this vulnerability does not affect any currently supported Red Hat products [7].

Sources

  1. CVE-2025-66376 Detail - NVD

    This CVE record has been marked for NVD enrichment efforts. Description. Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.CVE Dictionary Entry: CVE-2025-66376 NVD Published…

  2. CVE-2025-66376: Zimbra Collaboration XSS Vulnerability - SentinelOne

    CVE-2025-66376 is a stored cross-site scripting flaw in Zimbra Collaboration Suite that exploits CSS @import directives in HTML emails. This article covers technical details, affected versions, impact, and mitigation.

  3. Operation GhostMail: Russian APT exploits Zimbra Webmail to Target ...

    Operation GhostMail uncovers a Russian APT campaign exploiting a Zimbra XSS vulnerability (CVE-2025-66376) to target a Ukrainian government agency via phishing emails and browser-based data exfiltration.

  4. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  5. CVE-2025-66376 Zimbra Collaboration Suite Classic UI cross site...

    This vulnerability is reported as CVE-2025-66376. The attack can be launched remotely. No exploit exists. The affected component should be upgraded. VulDB is the best source for vulnerability data and more expert information about this specific topic.This vulnerability is traded as CVE-2025-66376 si…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed