State-sponsored APT28 actors exploited a high-severity Zimbra Collaboration Suite XSS flaw (CVE-2025-66376) to achieve remote code execution and compromise Ukrainian government email servers. CISA added the bug to its catalog of vulnerabilities exploited in the wild and ordered federal agencies to patch within two weeks after researchers linked Operation GhostMail to obfuscated JavaScript attacks that harvested credentials, tokens, backup 2FA codes, and mailbox data. #APT28 #CVE-2025-66376
Keypoints
- CVE-2025-66376 is a stored XSS in Zimbra that can allow unauthenticated attackers to achieve remote code execution.
- The flaw was patched in early November but was actively exploited by APT28 in attacks against Ukrainian government entities.
- CISA added the vulnerability to its exploited-in-the-wild catalog and ordered federal agencies to remediate within two weeks under BOD 22-01.
- Operation GhostMail used HTML-only phishing with obfuscated JavaScript that runs in vulnerable Zimbra webmail to harvest credentials and session data.
- Exfiltrated items included credentials, session tokens, backup 2FA codes, browser-saved passwords, and up to 90 days of mailbox contents over DNS and HTTPS.