Vulnerability
Advisory/Mitigation
Campaign
APT28 GhostMail abuse of Zimbra Classic UI flaw
Updated 19.03.2026 16:55
Case score 65
Score breakdown
- Total
- 65
- Lead score
- 62
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 1
Top contributors
- Vulnerability Core Zimbra Classic UI stored-XSS flaw and the main exploitation surface. base
- Campaign APT28's GhostMail operation shows direct real-world abuse of the same Zimbra flaw against Ukrainian government entities. support
- Advisory Mitigation CISA guidance confirms the flaw is treated as exploited in the wild and sets a remediation deadline. context
Case score 65
Members 3
Latest activity 19.03.2026 16:55
Active exploitation
Patch/mitigation varies by member
CVSS: 10.0 Critical
Active exploitation
Patch/mitigation varies by member
CVSS: 10.0 Critical
Members 3
First seen 18.03.2026 21:57
Last seen 19.03.2026 16:55
Updated 19.03.2026 16:55
Overview
**CVE-2025-66376** in **Zimbra Collaboration Suite (ZCS)** is being used in active attacks that abuse the Classic UI and email-delivered CSS `@import` content to run stored XSS in a victim session. **APT28**'s Operation GhostMail applies that path against Ukrainian government entities and can pull credentials, session tokens, and mailbox data.
**CISA** has already added the flaw to the exploited-in-the-wild catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers by **April 1, 2026**. Synacor patched the issue in early November, but the available evidence does not quantify how broad the exploitation is.
Attackers are exploiting **CVE-2025-66376** in **Zimbra Collaboration Suite (ZCS)**, where a stored XSS flaw in the Classic UI can be triggered through CSS `@import` directives in HTML email.
**APT28**'s Operation GhostMail uses that path against Ukrainian government entities by delivering obfuscated JavaScript in the email body, which runs in a vulnerable webmail session and can steal credentials, session tokens, backup 2FA codes, browser-saved passwords, and recent mailbox data. One named target is the Ukrainian State Hydrology Agency, which shows the activity is focused on specific government and infrastructure victims rather than a broad spray-and-pray wave.
CISA added **CVE-2025-66376** to its exploited-in-the-wild catalog and told Federal Civilian Executive Branch agencies to secure ZCS servers by **April 1, 2026**. Synacor had already patched the flaw in early November, but exposed Classic UI deployments and any unmitigated webmail sessions remain at risk until the fix is applied. Available evidence does not quantify the full reach of the activity or identify every operator involved.