Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact
Vulnerability Advisory/Mitigation Campaign

APT28 GhostMail abuse of Zimbra Classic UI flaw

Updated 19.03.2026 16:55
Case score 65
Case score 65 Members 3 Latest activity 19.03.2026 16:55
Active exploitation Patch status varies by member CVSS: 10.0 Critical
Members 3 First seen 18.03.2026 21:57 Last seen 19.03.2026 16:55 Updated 19.03.2026 16:55

Overview

**CVE-2025-66376** in **Zimbra Collaboration Suite (ZCS)** is being used in active attacks that abuse the Classic UI and email-delivered CSS `@import` content to run stored XSS in a victim session. **APT28**'s Operation GhostMail applies that path against Ukrainian government entities and can pull credentials, session tokens, and mailbox data. **CISA** has already added the flaw to the exploited-in-the-wild catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers by **April 1, 2026**. Synacor patched the issue in early November, but the available evidence does not quantify how broad the exploitation is.

Signals

9 derived
Exploitation
Exploitation Active exploitation CVSS 10.0 Critical
CVEs/products
CVE
Victims/regions
Sector government Victim region United States
Remediation
Remediation Urgency High
Status
Campaign status Active
Threat context
Actor APT28

Malware context

1 families

Member happenings

3 related
Vulnerability Zimbra Collaboration Suite (ZCS) stored XSS flaw (CVE-2025-66376)
Updated 18.03.2026 21:57 Lead Contribution 62
Exploitation Active Exploitation Exploit No Known Public Exploit Data Type Email Addresses CVSS 10.0 Critical +1

**CVE-2025-66376** affects **Zimbra Collaboration Suite (ZCS)**, where a stored **XSS flaw** in the **Classic UI** is **actively exploited** and can put exposed mail servers and user sessions at risk. Remote unauthenticated attackers can abuse **CSS @import directives** in email HTML to trigger the weakness, with potential follow-on impacts including session hijacking and sensitive-data theft. The issue was **patched in early November**, but unremediated deployments remain exposed.

View happening
Campaign APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Updated 19.03.2026 16:55 Scoring Support Contribution 2
Objective Espionage Campaign Active Patch Patch Available

**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Suite**, creating immediate risk to email accounts and credentials. The message delivers an obfuscated **JavaScript** payload in the **HTML body** of a single email, avoiding attachments and macros. The payload can harvest **session tokens**, backup **2FA codes**, browser-saved passwords, and mailbox content from the last **90 days**. The activity matters because the vulnerability is already treated as exploited in the wild, and one named target is the **Ukrainian State Hydrology Agency**, a critical infrastructure entity.

View happening
Advisory/Mitigation CISA patch guidance for Zimbra and SharePoint flaws
Updated 19.03.2026 08:05 Context
Exploitation Active Exploitation CVSS 10.0 Critical Urgency High Patch Patch Available

**CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating immediate risk for government collaboration systems. The directive covers **CVE-2025-66376** in ZCS and **CVE-2026-20963** in SharePoint, with deadlines of **March 23, 2026** and **April 1, 2026**. Public reporting does not identify the attackers or the scale of exploitation, but both flaws are already fixed and require prompt remediation.

View happening