Russian Hackers Exploit Zimbra Vulnerability in Ukrainian Government Cyber Attacks
Russian State-Backed Hackers Exploit Zimbra Vulnerability in Ukrainian Government Attacks
A high-severity vulnerability in the Zimbra Collaboration Suite (ZCS) is being exploited by Russian state-backed hackers in targeted attacks against Ukrainian government entities. The vulnerability, tracked as CVE-2025-66376, was patched in early November but remains a threat to unpatched systems.
Vulnerability Details
The attacks, attributed to APT28 (also known as Fancy Bear or Strontium), involve the exploitation of a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to gain remote code execution (RCE) and compromise the Zimbra server and target account.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of exploited vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within two weeks.
Phishing Campaigns
Seqrite Labs researchers reported that APT28 hackers have exploited the Zimbra XSS vulnerability in phishing attacks against Ukraine, including the Ukrainian State Hydrology Agency.
The phishing campaign, dubbed Operation GhostMail, involved the delivery of malicious JavaScript payloads that exploit the CVE-2025-66376 vulnerability when the recipient opens the email in a vulnerable Zimbra webmail session.
The attackers’ script executes silently in the browser, harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and the contents of the victim’s mailbox for the past 90 days.
The exfiltrated data is transmitted over both DNS and HTTPS.
Previous Attacks
This is not the first time Zimbra security flaws have been targeted by Russian state-backed hackers.
In February 2023, the Russian Winter Vivern cyberespionage group used a reflected XSS exploit to breach Zimbra webmail portals and spy on NATO-aligned organizations and individuals.
In October 2024, U.S. and U.K. cyber agencies warned that APT29 (aka Cozy Bear or Midnight Blizzard) hackers linked to Russia’s Foreign Intelligence Service (SVR) were attacking vulnerable Zimbra servers at a large scale, exploiting a previously used vulnerability to steal account credentials.
Conclusion
Zimbra is a widely used collaboration software suite, with hundreds of millions of users worldwide, including government agencies and businesses.
The exploitation of this vulnerability highlights the importance of keeping software up to date and patching known vulnerabilities to prevent attacks.
About Author
English