Zimbra Collaboration Suite (ZCS) stored XSS flaw (CVE-2025-66376)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-66376 affects Zimbra Collaboration Suite (ZCS), where a stored XSS flaw in the Classic UI is actively exploited and can put exposed mail servers and user sessions at risk. Remote unauthenticated attackers can abuse CSS @import directives in email HTML to trigger the weakness, with potential follow-on impacts including session hijacking and sensitive-data theft. The issue was patched in early November, but unremediated deployments remain exposed.
Cases
Related Happenings
Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)
Vulnerability
First: 24.04.2026 16:35
Last: 24.04.2026 16:35
Sources 1
About this happening:
**CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...
Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)
VulnerabilityAbout this happening: **CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
How related:
The Ukrainian State Hydrology Agency (a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support) was one of the targets of this phishing campaign (named Operation GhostMail).
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignHow related: The Ukrainian State Hydrology Agency (a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support) was one of the targets of this phishing campaign (named Operation GhostMail).
About this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/Mitigation
First: 19.03.2026 08:05
Last: 19.03.2026 08:05
Sources 1
How related:
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
About this happening:
**CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/MitigationHow related: In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.
About this happening: **CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA BOD 22-01 Zimbra patch order
Public Sector Action
First: 18.03.2026 21:57
Last: 18.03.2026 21:57
Sources 1
How related:
CISA added it to its catalog of vulnerabilities exploited in the wild on Wednesday and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
About this happening:
**CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
CISA BOD 22-01 Zimbra patch order
Public Sector ActionHow related: CISA added it to its catalog of vulnerabilities exploited in the wild on Wednesday and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
About this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
Timeline
-
18.03.2026 21:57 2 articles · 2mo ago
CISA orders agencies to patch actively exploited Zimbra CVE-2025-66376
Legal Policy Action UpdateCISA ordered U.S. Federal Civilian Executive Branch agencies to secure Zimbra Collaboration Suite (ZCS) servers against CVE-2025-66376, a stored cross-site scripting flaw in the Classic UI that attackers can trigger through CSS @import directives in email HTML. The agency said the vulnerability was actively exploited in the wild, gave federal agencies two weeks to comply by April 1, 2026 under BOD 22-01, and urged all organizations to apply vendor mitigations or discontinue use if mitigations are unavailable. The flaw had been patched in early November and could enable arbitrary JavaScript execution, user-session hijacking, and sensitive-data theft within affected Zimbra environments.
Show sources
- CISA orders feds to patch Zimbra XSS flaw exploited in attacks — www.bleepingcomputer.com — 18.03.2026 21:57
- Russian hackers exploit Zimbra flaw in Ukrainian govt attacks — www.bleepingcomputer.com — 19.03.2026 16:55