A Russian state-sponsored threat actor is exploiting a critical cross-site scripting (XSS) vulnerability in Zimbra Collaboration, identified as CVE-2025-66376, to target users in Ukraine. This high-severity flaw, with a CVSS score of 7.2, allows attackers to run scripts via HTML emails, potentially taking over a user's email account. The vulnerability is a stored XSS flaw in the Classic UI, where attackers can abuse CSS @import directives in email HTML to execute malicious code. The exploitation of this bug enables attackers to gain unauthorized access to sensitive information. The active exploitation of CVE-2025-66376 by a Russian APT group1 highlights the need for immediate attention to this vulnerability. So what matters to practitioners is that the exploitation status of this flaw necessitates a prompt patching or monitoring decision to prevent potential security breaches.
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
⚠️ Critical Alert
Why This Matters
CVE-2025-66376 is in active discussion involving Russia — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, March 19). Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376. *SecurityAffairs*. https://securityaffairs.com/189673/security/russian-apt-targets-ukraine-via-zimbra-xss-flaw-cve-2025-66376.html
Original Source
SecurityAffairs
Read original →