Russian APT Exploits Zimbra Vulnerability in Ukraine Cyber Attacks
Russian State-Sponsored Threat Actor Exploits Zimbra Vulnerability to Target Ukrainian Organizations
A Russian state-sponsored threat actor has exploited a stored cross-site scripting (XSS) vulnerability in Zimbra’s collaboration software suite to target Ukrainian organizations.
Vulnerability Details
The vulnerability, tracked as CVE-2025-66376 and assigned a CVSS score of 7.2, affects the Classic UI component and was patched in November 2025 in versions 10.1.13 and 10.0.18.
The XSS bug allows attackers to inject malicious JavaScript code into HTML messages, which can be executed when the recipient opens the message in a browser.
Impact
This can lead to the compromise of the recipient’s account and the Zimbra environment.
In some cases, the attackers used the vulnerability to steal sensitive information, including credentials, session tokens, and browser-saved passwords.
US CISA Warning
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch the vulnerability within two weeks.
Attribution to APT28
The researchers noted that the attackers used the vulnerability to execute malicious code in the browser, allowing them to steal sensitive information without being detected.
Recommendation
Users are advised to update their Zimbra deployments as soon as possible, as vulnerabilities in the collaboration software suite are often targeted by threat actors.
In January, a local file inclusion (LFI) issue in the appliance’s webmail UI was flagged as exploited in highly targeted campaigns.
Conclusion
The exploitation of CVE-2025-66376 highlights the importance of patching vulnerabilities in a timely manner, as threat actors often target known vulnerabilities to gain unauthorized access to sensitive information.
About Author
English