CISA has ordered federal agencies to secure Zimbra Collaboration Suite servers after active exploitation of a stored XSS vulnerability (CVE-2025-66376) that can be abused via CSS @import in HTML emails to execute arbitrary JavaScript. The agency added the flaw to its catalog of vulnerabilities exploited in the wild and gave FCEB agencies until April 1 under BOD 22-01 to patch or apply mitigations, while warning all organizations to update or discontinue the product if mitigations are unavailable. #Zimbra #CVE-2025-66376 #CVE-2025-27915 #Synacor #WinterVivern
Keypoints
- CISA ordered FCEB agencies to secure Zimbra servers by April 1 under Binding Operational Directive 22-01.
- The vulnerability CVE-2025-66376 is a high-severity stored XSS in the Zimbra Classic UI exploitable via CSS @import in email HTML.
- Successful exploitation can execute arbitrary JavaScript, enabling session hijacking and data theft within compromised Zimbra instances.
- Synacor patched the flaw in early November but provided limited impact details, and CISA added the issue to its catalog of actively exploited vulnerabilities.
- Zimbra has a history of large-scale exploitation, including breaches in 2022 and attacks by groups like Winter Vivern, and recent abuse of CVE-2025-27915 to create malicious email filters.