430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376

Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine. Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine. […]

Zimbra CVE-2025-66376

Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine.

Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine.

The flaw is a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML. Attackers could exploit the bug to take over a user’s email account and compromise the entire Zimbra environment.

Synacor addressed the flaw with the release of Zimbra versions 10.1.13 and 10.0.18.

According to cybersecurity firm Seqrite Labs, a Russia-linked APT group, likely APT28  (aka UAC-0001, aka Fancy BearPawn StormSofacy GroupSednit, BlueDelta, and STRONTIUM), has exploited the Zimbra vulnerability in attacks against entities in Ukraine. Attackers used JavaScript in phishing emails to silently harvest credentials, session tokens, 2FA codes, saved passwords, and 90 days of mailbox data. Then they exfiltrated stoled data via DNS and HTTPS.

“A social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in the email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML content.” reads the report published by Seqrite Labs. “Based on technical overlaps with Zimbra exploitation and geopolitical targeting alignment, we assess with moderate confidence that this campaign aligns with tradecraft previously documented with Russian state-sponsored intrusion sets targeting Ukrainian government entities. This has been reported to CERT-UA.”

A national maritime agency was targeted on January 22 using a compromised student email. Seqrite Labs tracked this campaign as Operation GhostMail.

A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate. The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).

Once opened, it executed in the user’s session, stealing credentials, tokens, emails, and 2FA data. The multi-stage payload used SOAP requests, DNS and HTTPS exfiltration, and enabled persistent access, allowing attackers to monitor accounts and extract up to 90 days of emails.

The phishing campaign’s C2 infrastructure was set up on 20 Jan 2026 with two domains:

  • js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua
  • js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua

Historical patterns show Russian APTs like Fancy Bear (APT28), Cozy Bear (APT29), and Winter Vivern (TA473) targeting Zimbra, but this attack differs as it leverages an HTML email XSS payload requiring user interaction, dual-channel exfiltration, and structured SOAP API abuse. Based on targeting and payload similarities to SpyPress.ZIMBRA, Operation GhostMail is attributed to APT28 with medium confidence.

“The targeting of a Ukrainian government entity aligns with ongoing geopolitical cyber activity observed against public-sector institutions in the region.” concludes the report. “While definitive attribution requires further infrastructure or code-overlap confirmation, the techniques used are consistent with previously documented Russian state-sponsored groups exploiting webmail platforms across Eastern Europe. “

On Wednesday, the US CISA added the flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by April 1st, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)