CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS).

Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people worldwide, including thousands of businesses and hundreds of government agencies.

Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.

While Synacor (the company behind Zimbra) didn't share any details on the impact of a successful CVE-2025-66376 attack, it can likely be exploited to execute arbitrary JavaScript via malicious HTML-based emails, potentially allowing attackers to hijack user sessions and steal sensitive data within the compromised Zimbra environment.

CISA added it to its catalog of vulnerabilities exploited in the wild on Wednesday and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their servers by April 1st, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

Although BOD 22-01 applies only to federal agencies, the U.S. cybersecurity agency encouraged all organizations, including those in the private sector, to patch this actively exploited flaw as soon as possible.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable," CISA warned. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Zimbra servers under attack

Zimbra security flaws are frequently targeted in attacks and have been exploited to breach thousands of vulnerable email servers worldwide in recent years.

For instance, as early as June 2022, Zimbra auth-bypass and remote code execution bugs were abused to breach more than 1,000 servers.

Starting in September 2022, hackers exploited a zero-day vulnerability in Zimbra Collaboration Suite, breaching nearly 900 servers within two months after gaining remote code execution on compromised instances.

The Russian state-backed Winter Vivern hacking group also used reflected XSS exploits to breach the Zimbra webmail portals of NATO-aligned governments and the mailboxes of government officials, military personnel, and diplomats.

More recently, threat actors exploited another Zimbra XSS vulnerability (CVE-2025-27915) in zero-day attacks to execute arbitrary JavaScript code, enabling them to set email filters that redirect messages to attacker-controlled servers.