CISA has ordered U.S. authorities businesses to safe their servers in opposition to an actively exploited vulnerability within the Zimbra Collaboration Suite (ZCS).
Zimbra is a very fashionable e-mail and collaboration software program suite utilized by tons of of hundreds of thousands of individuals worldwide, together with hundreds of companies and tons of of presidency businesses.
Tracked as CVE-2025-66376 and patched in early November, this high-severity safety flaw stems from a saved cross-site scripting (XSS) weak point within the Traditional UI that distant unauthenticated attackers might exploit by abusing Cascading Type Sheets (CSS) @import directives in e-mail HTML.
Whereas Synacor (the corporate behind Zimbra) did not share any particulars on the affect of a profitable CVE-2025-66376 assault, it may doubtless be exploited to execute arbitrary JavaScript by way of malicious HTML-based emails, probably permitting attackers to hijack person classes and steal delicate knowledge throughout the compromised Zimbra surroundings.
CISA added it to its catalog of vulnerabilities exploited within the wild on Wednesday and gave Federal Civilian Govt Department (FCEB) businesses two weeks to safe their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Though BOD 22-01 applies solely to federal businesses, the U.S. cybersecurity company inspired all organizations, together with these within the non-public sector, to patch this actively exploited flaw as quickly as potential.
“Apply mitigations per vendor directions, comply with relevant BOD 22-01 steering for cloud companies, or discontinue use of the product if mitigations are unavailable,” CISA warned. “A lot of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise.”
Zimbra servers beneath assault
Zimbra safety flaws are regularly focused in assaults and have been exploited to breach hundreds of weak e-mail servers worldwide in recent times.
For example, as early as June 2022, Zimbra auth-bypass and distant code execution bugs have been abused to breach greater than 1,000 servers.
Beginning in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching practically 900 servers inside two months after gaining distant code execution on compromised cases.
The Russian state-backed Winter Vivern hacking group additionally used mirrored XSS exploits to breach the Zimbra webmail portals of NATO-aligned governments and the mailboxes of presidency officers, navy personnel, and diplomats.
Extra lately, risk actors exploited one other Zimbra XSS vulnerability (CVE-2025-27915) in zero-day assaults to execute arbitrary JavaScript code, enabling them to set e-mail filters that redirect messages to attacker-controlled servers.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
