CP
cyberpings
VulnerabilitiesHIGH

Zimbra Vulnerability - Russian APT Targets Ukraine Users

SWSecurityWeek
CVE-2025-66376ZimbraAPT28Operation GhostMailUkraine
🎯

Basically, hackers used a flaw in Zimbra emails to steal information from users in Ukraine.

Quick Summary

A high-severity vulnerability in Zimbra is being exploited by a Russian APT against Ukraine. This puts sensitive user data at risk. Immediate patching is essential to prevent attacks.

The Flaw

A serious vulnerability has been identified in Zimbra Collaboration, specifically affecting its Classic UI. This flaw, tracked as CVE-2025-66376, has a CVSS score of 7.2, indicating a high severity. The issue arises from insufficient sanitization of CSS content in HTML emails, allowing attackers to execute malicious scripts when a recipient opens a message in their browser. This can lead to remote code execution (RCE), compromising the recipient's email account and the entire Zimbra environment.

The vulnerability was patched in November 2025 with Zimbra versions 10.1.13 and 10.0.18. However, many users may not have updated their systems, leaving them exposed to potential attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the patch within two weeks as mandated by Binding Operational Directive (BOD) 22-01.

Who's Being Targeted

Reports indicate that Russian state-sponsored threat actors, specifically APT28, are actively exploiting this vulnerability in targeted attacks against Ukraine. Affected entities include critical national infrastructure organizations, such as those involved in maritime and hydrographic support for shipping. On January 22, a phishing email was sent to one such organization, originating from a compromised account of a Ukrainian student.

The attackers are leveraging this vulnerability to steal sensitive information from victims' mailboxes. The embedded JavaScript code executes silently upon opening the email, harvesting credentials, session tokens, 2FA codes, and even browser-saved passwords. This data is then exfiltrated over both DNS and HTTPS, making detection difficult.

Patch Status

As of now, the patch for CVE-2025-66376 is available, and users are strongly advised to update their Zimbra deployments immediately. Vulnerabilities in collaboration software like Zimbra are often targeted by threat actors, making timely updates crucial. In addition to this vulnerability, a local file inclusion (LFI) issue was also flagged recently, indicating a pattern of exploitation in intelligence-driven campaigns.

Security researchers emphasize the importance of maintaining updated software to prevent such attacks. Regular patching and monitoring for vulnerabilities can significantly reduce the risk of exploitation by threat actors.

Immediate Actions

Organizations using Zimbra should take immediate action to protect themselves. Here are some recommended steps:

  • Update Zimbra to the latest version to close the vulnerability.
  • Educate users about the risks of phishing emails and suspicious links.
  • Implement security measures such as multi-factor authentication to add an extra layer of protection.
  • Monitor network traffic for unusual activity that could indicate exploitation attempts.

By staying vigilant and proactive, organizations can better defend against the evolving tactics of state-sponsored threat actors like APT28.

🔒 Pro insight: The exploitation of CVE-2025-66376 highlights the ongoing threat landscape, especially targeting critical infrastructure during geopolitical tensions.

Original article from

SecurityWeek · Ionut Arghire

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Vulnerabilities - Multiple Privilege Escalation Risks Found

Multiple privilege escalation vulnerabilities have been discovered in Arturia Software Center for MacOS. Users of version 2.12.0.3157 are at risk. Immediate action is needed to secure systems until a fix is available.

Full Disclosure·
HIGHVulnerabilities

Vulnerabilities in iOS and macOS - Security Updates Released

Apple has released important security updates for iOS and macOS. These updates fix a critical vulnerability in WebKit that could expose users to risks. It's crucial for all users to update their devices immediately to ensure safety.

Full Disclosure·
HIGHVulnerabilities

iOS Vulnerabilities - DarkSword Exploit Kit Uncovered

DarkSword, a new iOS exploit kit, has been uncovered, targeting vulnerabilities in iPhones. Millions of users are at risk of data theft. It's crucial to update your devices now to stay protected.

Help Net Security·
MEDIUMVulnerabilities

PEGA Infinity Platform - Multiple Vulnerabilities Discovered

SEC Consult has revealed multiple vulnerabilities in the PEGA Infinity platform. Users of affected versions should act quickly to install patches. Failure to do so could lead to unauthorized access and data breaches. Stay secure by updating your systems now.

Full Disclosure·
CRITICALVulnerabilities

Telnet Vulnerability - Critical Flaw Enables Remote Code Execution

A critical flaw in Telnet allows remote code execution as root, exposing legacy systems to serious risks. Immediate action is needed to protect vulnerable infrastructure. Stay informed and take steps to secure your systems.

CSO Online·
HIGHVulnerabilities

Vulnerability - Local Privilege Escalation in Ubuntu Snap

A critical vulnerability in Ubuntu Desktop allows unprivileged users to gain root access. This flaw, CVE-2026-3888, poses significant security risks. Users should stay updated and limit unprivileged access to their systems.

Full Disclosure·