Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainian government entities.

This high-severity security flaw (tracked as CVE-2025-66376 and patched in early November) stems from a stored cross-site scripting (XSS) that unauthenticated attackers can exploit to gain remote code execution (RCE) and compromise the Zimbra server and the target's email account.

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of vulnerabilities exploited in the wild. CISA also ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within two weeks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

While the U.S. cybersecurity agency didn't provide further details on the ongoing exploitation of CVE-2025-66376, security researchers at Seqrite Labs reported a day earlier that the Zimbra XSS vulnerability had been exploited by APT28 military hackers in attacks against Ukraine.

The Ukrainian State Hydrology Agency (a critical infrastructure entity under the Ministry of Infrastructure that provides navigational, maritime, and hydrographic support) was one of the targets of this phishing campaign (named Operation GhostMail).

"The phishing email has no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email, there are no malicious attachments," Seqrite Labs said.

​The APT28 (aka Fancy Bear, Strontium) hackers' malicious messages delivered an obfuscated JavaScript payload that exploits the CVE-2025-66376 vulnerability when the recipient opens the email in a vulnerable Zimbra webmail session.

"The script executes silently in the browser and begins harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and the contents of the victim's mailbox going back 90 days with all the data exfiltrated over both DNS and HTTPS," the researchers added.

Zimbra security flaws are frequently targeted in attacks, including by Russian state-sponsored threat groups, and have been used to breach thousands of vulnerable email servers in recent years.

For instance, starting in February 2023, the Russian Winter Vivern cyberespionage group used another reflected XSS exploit to breach Zimbra webmail portals and spy on the communications of NATO-aligned organizations and persons, including government officials, military personnel, and diplomats.

In October 2024, U.S. and U.K. cyber agencies also warned that APT29 (aka Cozy Bear, Midnight Blizzard) hackers linked to Russia's Foreign Intelligence Service (SVR) were attacking vulnerable Zimbra servers "at a mass scale," exploiting a vulnerability previously used to steal email account credentials.

Zimbra is a widely popular email and collaboration software suite used by hundreds of millions of people, including hundreds of government agencies and thousands of businesses worldwide.