CISA has ordered U.S. authorities businesses to safe their servers in opposition to an actively exploited vulnerability within the Zimbra Collaboration Suite (ZCS).
Zimbra is a highly regarded e mail and collaboration software program suite utilized by lots of of tens of millions of individuals worldwide, together with hundreds of companies and lots of of presidency businesses.
Tracked as CVE-2025-66376 and patched in early November, this high-severity safety flaw stems from a saved cross-site scripting (XSS) weak spot within the Basic UI that distant unauthenticated attackers may exploit by abusing Cascading Model Sheets (CSS) @import directives in e mail HTML.
Whereas Synacor (the corporate behind Zimbra) did not share any particulars on the impression of a profitable CVE-2025-66376 assault, it could doubtless be exploited to execute arbitrary JavaScript by way of malicious HTML-based emails, probably permitting attackers to hijack person classes and steal delicate information inside the compromised Zimbra setting.
CISA added it to its catalog of vulnerabilities exploited within the wild on Wednesday and gave Federal Civilian Government Department (FCEB) businesses two weeks to safe their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Though BOD 22-01 applies solely to federal businesses, the U.S. cybersecurity company inspired all organizations, together with these within the personal sector, to patch this actively exploited flaw as quickly as potential.
“Apply mitigations per vendor directions, observe relevant BOD 22-01 steering for cloud providers, or discontinue use of the product if mitigations are unavailable,” CISA warned. “These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise.”
Zimbra servers beneath assault
Zimbra safety flaws are ceaselessly focused in assaults and have been exploited to breach hundreds of susceptible e mail servers worldwide in recent times.
As an example, as early as June 2022, Zimbra auth-bypass and distant code execution bugs had been abused to breach greater than 1,000 servers.
Beginning in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching practically 900 servers inside two months after gaining distant code execution on compromised cases.
The Russian state-backed Winter Vivern hacking group additionally used mirrored XSS exploits to breach the Zimbra webmail portals of NATO-aligned governments and the mailboxes of presidency officers, army personnel, and diplomats.
Extra just lately, menace actors exploited one other Zimbra XSS vulnerability (CVE-2025-27915) in zero-day assaults to execute arbitrary JavaScript code, enabling them to set e mail filters that redirect messages to attacker-controlled servers.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
