A Russian government-backed hacker group has been exploiting a severe cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite, targeting Ukraine, according to cybersecurity experts.
Zimbra Vulnerability Details
The vulnerability, identified as CVE-2025-66376 with a CVSS score of 7.2, was patched in November 2025 for Zimbra versions 10.1.13 and 10.0.18. This stored XSS issue allows attackers to use Cascading Style Sheets (CSS) @import directives in HTML emails, posing a security risk as highlighted in Zimbra’s advisory.
The lack of adequate sanitization for CSS content within HTML emails enables attackers to link to external resources or inject scripts executed when messages are opened in a browser. Successful exploitation could lead to remote code execution (RCE), compromising users’ email accounts and the Zimbra environment.
Impact and Exploitation by Threat Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2025-66376 in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch the flaw within two weeks as per Binding Operational Directive (BOD) 22-01. Although CISA has not disclosed specific attack details, Seqrite Labs reports that Russian state-sponsored hackers have been using the vulnerability in attacks against Ukraine.
These attacks involve JavaScript embedded in email bodies that activate when opened, stealing data from victims’ email accounts. Seqrite Labs explains that the script operates quietly, extracting credentials, session tokens, backup 2FA codes, browser-saved passwords, and email content from the last 90 days, transmitting the data over DNS and HTTPS.
Operation GhostMail and Security Recommendations
One significant incident involved a phishing email received by a national infrastructure entity in Ukraine responsible for maritime and hydrographic support. This email, sent from a likely compromised account associated with a student from Ukraine’s National Academy of Internal Affairs, highlights the operation named GhostMail by Seqrite Labs.
Attributed to APT28, also known as Forest Blizzard, Fancy Bear, GruesomeLarch, and Sofacy, this campaign underscores the advanced tactics of Russian cyber operatives. Users are strongly advised to update their Zimbra installations promptly, as vulnerabilities in collaboration software are frequent targets for cyberattacks.
In January, another flaw, a local file inclusion (LFI) issue in Zimbra’s webmail UI, was noted for exploitation in targeted campaigns. It is crucial for organizations to remain vigilant and ensure their systems are updated to mitigate such cybersecurity threats.
