Security News Russian hackers exploit Zimbra flaw in Ukrainian govt attacks

[Captain Awesome]

Content source

https://www.bleepingcomputer.com/news/security/russian-apt28-military-hackers-exploit-zimbra-flaw-in-ukrainian-govt-attacks/

Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainian government entities.

This high-severity security flaw (tracked as CVE-2025-66376 and patched in early November) stems from a stored cross-site scripting (XSS) that unauthenticated attackers can exploit to gain remote code execution (RCE) and compromise the Zimbra server and the target's email account.

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of vulnerabilities exploited in the wild. CISA also ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within two weeks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

 

[Bot]

This is a serious issue, and the most important point is that CISA has now treated CVE-2025-66376 as actively exploited in the wild.

If the quoted reporting is accurate, administrators using Zimbra Collaboration Suite should treat this as a high-priority patching and incident review item.

What the quote is saying

• The vulnerability is identified as CVE-2025-66376.
• It reportedly affects Zimbra Collaboration Suite.
• It was patched in early November according to the linked Zimbra post.
• CISA has added it to the Known Exploited Vulnerabilities catalog, which usually means there is credible evidence of real-world exploitation.
• The campaign is being attributed in public reporting to APT28, but attribution should still be read carefully because those claims can evolve as more evidence is published.

Why this matters

A stored XSS leading to broader compromise is especially dangerous in mail platforms because:

• Email systems are high-value targets
• They often expose web interfaces to the internet
• Compromise can affect both the server and user mailboxes
• Attackers may gain persistence, steal credentials, or access sensitive correspondence

Even if someone is not a government target, internet-facing mail infrastructure is often scanned opportunistically once an exploit becomes known.

Practical next steps for Zimbra admins

• Verify whether your Zimbra version is affected.
• Apply the vendor patch or update referenced in the official Zimbra advisory as soon as possible.
• Review CISA’s KEV entry and any mitigation guidance.
• Check authentication logs, admin activity, mailbox access patterns, and web server logs for suspicious behavior.
• Look for unusual forwarded mail rules, new admin accounts, unexpected tokens, or suspicious scripts/webshell indicators.
• Rotate credentials and invalidate active sessions if compromise is suspected.
• If the server is internet-facing, consider a broader incident response review rather than treating this as only a routine patch issue.

A note on attribution

The APT28 claim comes from reporting and may be well supported, but operationally the more important fact for defenders is that the flaw is reportedly exploited in the wild. Patch status, exposure, and signs of compromise matter more than the threat label.

Bottom line

If you run Zimbra, this should not be deferred. Confirm version exposure, patch immediately, and review the system for signs of compromise.

Sources

• NVD - CVE-2025-66376
• Patch Release Update: Zimbra 10.1.13, 10.0.18 - Zimbra : Blog
• CISA Adds One Known Exploited Vulnerability to Catalog | CISA
• Known Exploited Vulnerabilities Catalog | CISA

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Fact
Threat actors attributed to Russia's military intelligence (APT28) are actively exploiting CVE-2025-66376, a stored Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite, against Ukrainian government infrastructure.

Assessment
Because the entire attack chain resides within the HTML body of a spear-phishing email without requiring attachment interaction, perimeter defenses relying on traditional file scanning will likely fail to detect the intrusion.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.001
(Phishing: Spearphishing Attachment) - Note: Payload resides in HTML body.

T1203
(Exploitation for Client Execution).

T1059.007
(Command and Scripting Interpreter: JavaScript).

T1539
(Steal Web Session Cookie).

T1071.004
(Application Layer Protocol: DNS).

CVE Profile
CVE-2025-66376 (High Severity)
CISA KEV Status: Active

Telemetry

Hashes
"c010f64080b0b0997b362a8e6b9c618e"

Domains/C2
zimbrasoft[.]com[.]ua
js-[a-z0-9]{12}[.]i[.]zimbrasoft[.]com[.]ua

Decoding Keys
XOR key "twichcba5e"

Constraint Note
The structure resembles a highly coordinated browser-resident stealer, silently harvesting 90 days of mail data, backup 2FA codes, and session tokens via automated SOAP API requests.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

Target Environment
Zimbra Collaboration Suite (ZCS)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate emergency patch management protocols for all FCEB agencies to comply with CISA BOD 22-01 mandates.

DETECT (DE) – Monitoring & Analysis

Command
Query DNS logs for Base32-encoded subdomain resolutions matching the pattern d-[token][.][key][.][base32_chunk][.]i[.]zimbrasoft[.]com[.]ua

Command
Audit Zimbra access logs for anomalous requests to the [/]home[/]~[/]?fmt=tgz endpoint.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected Zimbra servers

Command
Search for and immediately revoke any unauthorized app-specific passwords, specifically those named "ZimbraWeb"

RECOVER (RC) – Restoration & Trust

Command
Validate that Zimbra instances are patched to at least ZCS 10.0.18 or 10.1.13 before reconnecting to the external network.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Disable unused protocols (such as IMAP and POP3) at the administrative level via the zimbraPrefImapEnabled parameter to restrict persistence vectors.

Remediation - THE HOME USER TRACK (Safety Focus)

Threat Downgraded
Theoretical/Low. Zimbra Collaboration Suite is not a default home user OS component.

Priority 1: Safety

Command
No immediate disconnection required unless accessing a corporate Zimbra webmail portal from a home network.

Priority 2: Identity

Command
Remain vigilant regarding unsolicited emails requesting internship or job opportunities, even if they lack attachments.

Priority 3: Persistence

Command
Regularly clear browser cache, cookies, and local storage to purge potential dormant session tokens.

Hardening & References

Baseline
Ensure email filtering solutions are updated to parse and sanitize CSS @import directives within HTML email bodies.

Framework
Align with NIST CSF 2.0 and CISA Binding Operational Directive (BOD) 22-01.

Source

CISA Known Exploited Vulnerabilities:
hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog

Zimbra (Synacor) Security Advisories:
hxxps://wiki[.]zimbra[.]com/wiki/Zimbra_Security_Advisories

Bleeping Computer:
hxxps://www[.]bleepingcomputer[.]com/news/security/russian-apt28-military-hackers-exploit-zimbra-flaw-in-ukrainian-govt-attacks/

 

[Halp2001]

Thanks for the heads-up @Capitán Genial. This is a reminder that hackers don't always need you to click a shady link or download a file to get in; sometimes, just receiving a malicious email is enough.

Quick steps if you manage a Zimbra account:

• Update immediately to the latest versions (10.0.18 or 10.1.13).
• Check for unusual activity in your email logs or settings.
• Change your passwords and close any active sessions if something feels off.
• Turn off unused features like IMAP or POP3 to keep things simpler and safer.

The bottom line: With groups like APT28 already using this flaw, the priority is to patch and secure your settings before anything happens.