DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66376: CVE-2025-66376: Stored Cross-Site Scripting via CSS @import in Zimbra ZCS Classic UI

#security #cve #cybersecurity

CVE-2025-66376: Stored Cross-Site Scripting via CSS @import in Zimbra ZCS Classic UI

Vulnerability ID: CVE-2025-66376
CVSS Score: 7.2
Published: 2026-01-05

A critical stored cross-site scripting (XSS) vulnerability exists in the Classic UI of Synacor Zimbra Collaboration Suite (ZCS) versions 10.0.x and 10.1.x. The flaw arises from improper neutralization of CSS @import directives within HTML email bodies, enabling unauthenticated attackers to execute arbitrary JavaScript in the context of the victim's webmail session. State-sponsored actors, specifically APT28, currently exploit this vulnerability in the wild.

TL;DR

Zimbra ZCS Classic UI fails to sanitize CSS @import directives in HTML emails, resulting in Stored XSS. Attackers use this to silently execute JavaScript, exfiltrate emails via the SOAP API, and steal session tokens without user interaction beyond opening the email.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 7.2
  • EPSS Score: 0.28822
  • Exploit Status: Active Exploitation (APT28)
  • CISA KEV: Added (2026-03-18)

Affected Systems

  • Synacor Zimbra Collaboration Suite (ZCS) Classic UI
  • ZCS 10.0.x
  • ZCS 10.1.x
  • Zimbra Collaboration Suite (ZCS): 10.0.0 - 10.0.17 (Fixed in: 10.0.18)
  • Zimbra Collaboration Suite (ZCS): 10.1.0 - 10.1.12 (Fixed in: 10.1.13)

Exploit Details

  • Seqrite Labs: Technical analysis of Operation GhostMail detailing APT28 exploitation methodology.

Mitigation Strategies

  • Upgrade Zimbra Collaboration Suite to version 10.0.18 or 10.1.13.
  • Instruct users to utilize the Modern UI instead of the Classic UI.
  • Disable the Classic UI interface temporarily if patching is delayed.
  • Monitor network traffic for anomalous outbound DNS queries and HTTP POST requests from client browsers.

Remediation Steps:

  1. Verify the current running version of Zimbra ZCS.
  2. Schedule a maintenance window for the upgrade process.
  3. Apply the 10.0.18 or 10.1.13 patch according to the official Zimbra release notes.
  4. Audit Zimbra SOAP API logs for unauthorized data extraction patterns.
  5. Communicate the UI transition to end-users if relying on the mitigation workaround.

References

Read the full report for CVE-2025-66376 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)