CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog
CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation of a stored cross-site scripting (XSS) flaw in Synacor Zimbra Collaboration Suite (ZCS). The vulnerability affects the Classic UI and allows remote unauthenticated attackers to abuse CSS @import directives embedded in email HTML, creating a path to execute malicious JavaScript in a victim's browser session. The KEV entry describes the issue as a CWE-79 XSS vulnerability and directs organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
CISA ordered Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by April 1, while also urging private-sector organizations to patch quickly because the bug is being exploited in the wild. Reporting on the KEV addition notes that the flaw was patched by Zimbra earlier and could enable session hijacking and theft of sensitive data within affected Zimbra environments through malicious HTML email content. The same KEV update also included other unrelated vulnerabilities, but the Zimbra entry is the relevant event tied to the active exploitation warning and federal patching directive.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to patch exploited Zimbra flaw
CISA ordered U.S. federal civilian agencies to remediate CVE-2025-66376 under Binding Operational Directive 22-01 after confirming active exploitation in the wild. Federal Civilian Executive Branch agencies were given until 2026-04-01 to secure affected Zimbra servers, while private-sector organizations were urged to patch immediately.
CISA adds CVE-2025-66376 to the KEV catalog
CISA added the actively exploited Zimbra flaw CVE-2025-66376 to its Known Exploited Vulnerabilities catalog as part of the March 18, 2026 KEV update. The catalog entry directed organizations to apply vendor mitigations or discontinue use if no fix is available.
Synacor patches Zimbra stored XSS flaw CVE-2025-66376
Synacor released a fix for CVE-2025-66376 in Zimbra Collaboration Suite in early November 2025. The high-severity stored XSS bug affects the Classic UI and can be triggered via malicious HTML emails using CSS @import directives.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Microsoft SharePoint and Zimbra Vulnerabilities to KEV Catalog
**CISA** added two newly tracked flaws to its **Known Exploited Vulnerabilities (KEV)** catalog: **CVE-2026-20963** in **Microsoft SharePoint** and **CVE-2025-66376** in **Synacor Zimbra Collaboration Suite**. The SharePoint issue is a deserialization of untrusted data vulnerability, mapped to `CWE-502`, that can allow code execution over the network; CISA’s KEV entry describes it as enabling an unauthorized attacker to execute code remotely. The Zimbra issue is a stored cross-site scripting flaw in the Classic UI, mapped to `CWE-79`, in which attackers can abuse CSS `@import` directives in email HTML. CISA’s KEV update requires federal civilian executive branch agencies to remediate the SharePoint flaw by **2026-03-21** and the Zimbra flaw by **2026-04-01**, or follow applicable mitigation guidance under **BOD 22-01**. The GitHub KEV data commit confirms both additions and records the required actions as applying vendor mitigations, following cloud-service guidance where relevant, or discontinuing use if mitigations are unavailable. The reporting also notes that, while the KEV catalog is binding on federal agencies, private organizations should review the catalog and prioritize these vulnerabilities because CISA has identified them as actively exploited.
Mar 22, 2026
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2025-31125** (Vite/Vitejs improper access control), **CVE-2025-34026** (Versa Concerto improper authentication), **CVE-2025-54313** (*eslint-config-prettier* embedded malicious code), and **CVE-2025-68645** (Synacor **Zimbra Collaboration Suite** PHP remote file inclusion). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by CISA’s specified due dates; CISA also urged all organizations to prioritize patching these KEV entries as part of routine vulnerability management. Reporting on the update highlighted technical risk details for several of the newly listed items, including an authentication bypass in **Versa Concerto** (reported as affecting versions 12.1.2 through 12.2.0) tied to a Traefik reverse-proxy misconfiguration that could expose administrative endpoints (including an internal Actuator endpoint with access to heap dumps and trace logs). It also described the supply-chain impact of the **eslint-config-prettier** malicious code issue, where installing affected versions can execute an `install.js` that launches Windows malware, and noted the **Zimbra** webmail flaw enabling unauthenticated file inclusion from the web root in affected 10.0/10.1 versions. Separately, CISA also published an ICS advisory for **EVMAPA** EV-charging infrastructure vulnerabilities, but that advisory is not part of the KEV-additions event.
Mar 21, 2026