Security alert: CVE-2025-66376 in Zimbra and Operation GhostMail campaign steal credentials and access to mailboxes

The computer security world looks back at Zimbra's mail servers after researchers and government agencies detected active exploits taking advantage of a serious failure in Zimbra Collaboration Suite (ZCS). It's about vulnerability. CVE-2025-66376, a Stored Cross-site scripting (XSS) error that, in vulnerable environments, may be the first step to achieve remote code execution and take control of the mail server and individual accounts.

Zimbra itself published a patch in November to correct the failure; the affected versions and updates are detailed in her release notice, so the immediate recommendation for administrators is to apply those patches as soon as possible. The company's official note is available on its technical blog: Patch release - Zimbra 10.1.13 / 10.0.18. The failure is also referred to in the NVD vulnerability catalogue: CVE-2025-66376 (NVD).

The gravity of the matter escalated when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added vulnerability to its catalogue of vulnerabilities exploited in practice and ordered federal agencies to correct their servers within two weeks, in application of the Binding Operational Directive 22-01. The warning and inclusion in the catalogue underline the active exploitation in the field and the obligation to mitigate in federal environments: CISA notice on the inclusion of CVE-2025-66376 and access to the catalogue of exploited vulnerabilities Here.. The binding directive that forces rapid response is available on the CISA website: BOD 22-01.

On the operational level, the APT28 group - linked to Russian military intelligence (GRU) and also known as Fancy Bear or Strontium - has been attributed by researchers to campaigns that abuse this vulnerability to attack Ukrainian entities. The Seqrite laboratory published a technical analysis of the campaign named as Operation GhostMail, where it documents how attackers send emails without malicious attachments or suspicious links: the attack chain resides entirely in the HTML body of the message. The Seqrite report is available at: Operation GhostMail - Seqrite Labs.

The mechanism described by the researchers is technically simple but effective: the mail delivers an affuscated JavaScript that takes advantage of the XSS stored when the recipient opens the message in a vulnerable Zimbra webmail session. The script runs silently in the user's browser and starts collecting credentials, session tokens, two-factor authentication backup codes, passwords saved in the browser and up to the content of the mailbox for the last 90 days, sending that information to the attackers' servers via channels such as DNS and HTTPS. That behavior turns a simple message into a complete intrusion without the need for attachments or macros.

This type of exploitation is not new in the Zimbra ecosystem: the platform has been a recurring target for state and criminal actors. In previous campaigns, Russian-linked firms had already abused XSS and other vectors in Zimbra to spy on communications from NATO-aligned organizations and to compromise thousands of vulnerable servers in different waves of intrusion. The recurrence of risk has to do with Zimbra's wide adoption in governments and companies, making any exploitable failure a high-impact vector.

If you manage Zimbra servers or manage accounts that depend on this infrastructure, there are a number of urgent measures that need to be implemented in a coordinated and priority manner. The first and most critical is to apply the official Zimbra update that corrects the CVE-2025-66376. In addition, validate HTML mail blocking policies in sensitive environments, tighten access control to administrative consoles, review log-in records and mailbox activity, force the rotation of credentials and 2FA backup keys when there is suspicion of engagement, and control the outgoing traffic (including DNS consultations) to detect or block atypical exfiltration are steps that reduce the risk while completing the correction.

Beyond specific technical mitigation, the inclusion of vulnerability in the CISA catalogue and the order to federal agencies serve as a reminder that the response to incidents and basic hygiene - rapid parking, monitoring and network segmentation - remain the most effective defense against campaigns directed by advanced actors. For administrators who need the official patch reference, the Zimbra note indicates the corrected versions and recommended steps: Plot and update - Zimbra and the CISA notice contextualizes the threat and obligations in the public sector: CISA alert.

The lesson for small and large organizations is clear: the entrance doors may be in places that do not seem dangerous- a mail without attachments or links may be sufficient to compromise an entire system if the mail service presents an exploitable vulnerability. Maintaining up-to-date software, reducing the attack surface (for example, disabling active HTML rendering in webmail when it is not necessary) and preparing response plans that include rapid access revocation and outgoing traffic inspection are measures that make a difference when sophisticated campaigns such as Operation GhostMail appear.

If you want to deepen the technical details of the explosion or need the references mentioned in this article, here are the sources consulted: the recording of vulnerability in the NVD ( CVE-2025-66376), the Zimbra patch notice ( Zimbra Patch Release), the technical report of Seqrite on Operation GhostMail ( Seqrit Labs) and the official communication of CISA ( CISA alert), in addition to the catalogue of exploited vulnerabilities ( Known Exploited Vulnerabilities Catalog).