{"id":225347,"date":"2026-03-19T11:01:00","date_gmt":"2026-03-19T15:01:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/19\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376\/"},"modified":"2026-03-19T12:20:14","modified_gmt":"2026-03-19T16:20:14","slug":"russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/19\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376\/","title":{"rendered":"Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/189673\/security\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html\">Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/189673\/security\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html\">https:\/\/securityaffairs.com\/189673\/security\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-19 11:01:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> March 19, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2021\/07\/zimbra.png?fit=525%2C253&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine.<\/h2>\n<p>Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine.<\/p>\n<p>The flaw is a stored XSS vulnerability in the Classic UI where\u00a0attackers could abuse CSS @import directives in email HTML. Attackers could exploit the bug to take over a user\u2019s email account and compromise the entire Zimbra environment.<\/p>\n<p>Synacor\u00a0addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.<\/p>\n<p>According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28 \u00a0(aka UAC-0001, aka\u00a0Fancy Bear,\u00a0Pawn Storm,\u00a0Sofacy Group,\u00a0Sednit,\u00a0BlueDelta, and\u00a0STRONTIUM), has exploited the Zimbra vulnerability in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stoled data via DNS and HTTPS. <\/p>\n<p>\u201cA social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits\u00a0CVE-2025-66376\u00a0which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content.\u201d reads the report published by Seqrite Labs. \u201cBased on technical overlaps with Zimbra exploitation and geopolitical targeting alignment, we assess with moderate confidence that this campaign aligns with tradecraft previously documented with\u00a0<strong>Russian state-sponsored<\/strong>\u00a0intrusion sets&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/189673\/security\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376 https:\/\/securityaffairs.com\/189673\/security\/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html Publish Date: 2026-03-19 11:01:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":225348,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/03\/image-66.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,25,34,27],"class_list":["post-225347","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225347"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=225347"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225347\/revisions"}],"predecessor-version":[{"id":225349,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225347\/revisions\/225349"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/225348"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=225347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=225347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=225347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}