CISA Warns: Zimbra Vulnerability Exploited in Collaboration Suite

A high-severity vulnerability impacting the Zimbra Collaboration Suite (ZCS) has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

Tracked as CVE-2025-66376, this security flaw is currently facing active exploitation in the wild. Organizations utilizing Zimbra must urgently prioritize remediation to prevent unauthorized access and potential data compromise.

The vulnerability is a stored cross-site scripting (XSS) issue in the Classic User Interface of the Zimbra Collaboration Suite.

Threat actors can exploit this weakness by crafting malicious emails containing specifically formatted code. The attack relies on abusing Cascading Style Sheets (CSS) @import directives embedded directly within the HTML body of the email.

When a target opens the malicious message in the Classic UI, the embedded scripts run automatically in the context of the user’s active session.

This execution bypasses standard security boundaries, allowing attackers to potentially harvest session cookies, access sensitive email data, or execute unauthorized commands on behalf of the victim.

While it remains unknown whether this exploit is tied to ongoing ransomware campaigns, its ease of delivery via email makes it a critical threat.

Zimbra addressed this vulnerability in recent patch releases, specifically versions 10.1.13 and 10.0.18. Applying the patch fully mitigates the stored XSS vulnerability. As part of the security overhaul, Zimbra also upgraded the AntiSamy security library to version 1.7.8 and removed outdated, risky code from the platform.

Beyond security fixes, the 10.1.13 update delivers substantial user experience and performance enhancements. Administrators benefit from improved TLS handling, optimized memory management, and faster loading of email threads.

End-users gain a refined Modern Web App experience, featuring improved drag-and-drop file management, reliable copy-paste formatting from Microsoft Office, and enhanced tag organization.

Additionally, the update ensures compatibility with Outlook 2024 and maintains support for Legacy Exchange Web Services (EWS).

CISA Mandate and EOL Warning

In response to the active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary Zimbra patches by April 1, 2026.

Private organizations are strongly encouraged to follow this same deadline. If applying the patch is not possible, CISA recommends discontinuing the use of the vulnerable product immediately.

System administrators must also note that Zimbra version 10.0 officially reached its End of Life (EOL) on December 31, 2025.

Organizations still operating on the 10.0 release cycle must plan an immediate migration to Zimbra 10.1 to maintain security compliance.

Operating on an EOL platform will leave infrastructure permanently exposed to future unpatched vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.