Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
Publish Date: 2026-03-19 11:01:00
Source Domain: securityaffairs.com
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
Pierluigi Paganini
March 19, 2026
Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine.
Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine.
The flaw is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML. Attackers could exploit the bug to take over a user’s email account and compromise the entire Zimbra environment.
Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.
According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM), has exploited the Zimbra vulnerability in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stoled data via DNS and HTTPS.
“A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content.” reads the report published by Seqrite Labs. “Based on technical overlaps with Zimbra exploitation and geopolitical targeting alignment, we assess with moderate confidence that this campaign aligns with tradecraft previously documented with Russian state-sponsored intrusion sets…
