INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Critical Zimbra XSS Flaw Exposes Mailboxes
| 2026-07-10 20:42 CRITICAL MEDIUMExecutive Summary AI-generated
The threat landscape is increasingly complex, with multiple vectors of exploitation and attack methods. A recent incident highlights the importance of staying vigilant in cybersecurity. The use of advanced tactics, techniques, and procedures (TTPs) such as JavaScript-based phishing emails has become a significant concern. These attacks can silently harvest credentials, session tokens, two-factor authentication codes, saved passwords, and sensitive data for malicious purposes. Furthermore, multi-stage payloads have been used to exfiltrate stolen information via DNS and HTTPS. The release of Zimbra's 10.1.19 version fixes critical stored XSS vulnerabilities in its Classic Web Client, which is widely used by organizations. This highlights the need for timely updates and patching to prevent exploitation. Organizations must prioritize cybersecurity awareness, implement robust security measures, and stay informed about emerging threats to mitigate these risks effectively.
Technical Mitigations AI-generated
• Use a web application firewall (WAF): Implementing a WAF can help block malicious traffic and prevent exploitation of the XSS vulnerability. Popular options include ModSecurity, Apache mod_security, or Nginx's built-in WAF.
• Verify email authenticity: Ensure that emails are coming from legitimate sources by verifying their authenticity using techniques such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), or DMARC (Domain-based Message Authentication, Reporting and Conformance).
• Use secure protocols for email communication: When sending emails to users of the Classic Web Client, use secure protocols like HTTPS instead of HTTP. This can help prevent eavesdropping and tampering with sensitive information.
• Implement content security policy (CSP): CSP is a set of rules that define which sources of content are allowed in web pages. Implementing CSP can help block malicious scripts and reduce the risk of XSS attacks.
• Regularly update and patch software: Keep all software, including Zimbra's Classic Web Client, up to date with the latest security patches and updates. This will help prevent exploitation of known vulnerabilities before they are patched by attackers.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation GhostMailOperation GhostMail
APT28APT28Winter VivernWinter VivernAPT29APT29
SednitSednitSofacySofacy
CVE-2025-68645CVE-2025-68645
CVE-2025-66376CVE-2025-66376
CVE-2020-7796CVE-2020-7796
CVE-2025-48700CVE-2025-48700
Target & Sectors
UA
RU
governmentgovernment
maritimemaritime
Incident Timeline
February 2023
The Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit to breach Zimbra webmail portals.
Click on any entity below to view its context and source!
target_region
Russian Federation
For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit
to breach Zimbra webmail portals
in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats.
industry
Government
For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit
to breach Zimbra webmail portals
in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats.
threat_actor
Winter Vivern
For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit
to breach Zimbra webmail portals
in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats.
attribution
NATO
For instance, the Russian-sponsored Winter Vivern hacking group used a reflected XSS exploit
to breach Zimbra webmail portals
in February 2023, stealing emails from NATO-aligned organizations and individuals, including government officials, military personnel, and diplomats.
October 2024
Threat actors used a previously abused exploit to target vulnerable Zimbra servers.
Click on any entity below to view its context and source!
target_region
Russian Federation
In October 2024, U.S. and U.K. cyber agencies have also warned that APT29 (also known as Midnight Blizzard and Cozy Bear) hackers working for Russia's Foreign Intelligence Service (SVR) were
targeting vulnerable Zimbra servers
"at a mass scale" using an exploit that targeted a flaw previously abused
to steal email account credentials
.
threat_actor
APT29
In October 2024, U.S. and U.K. cyber agencies have also warned that APT29 (also known as Midnight Blizzard and Cozy Bear) hackers working for Russia's Foreign Intelligence Service (SVR) were
targeting vulnerable Zimbra servers
"at a mass scale" using an exploit that targeted a flaw previously abused
to steal email account credentials
.
attribution
Foreign Intelligence Service
In October 2024, U.S. and U.K. cyber agencies have also warned that APT29 (also known as Midnight Blizzard and Cozy Bear) hackers working for Russia's Foreign Intelligence Service (SVR) were
targeting vulnerable Zimbra servers
"at a mass scale" using an exploit that targeted a flaw previously abused
to steal email account credentials
.
January 22
Threat actors exploited a known vulnerability in the Zimbra Classic Web Client to compromise a national maritime agency's email system on January 22.
Click on any entity below to view its context and source!
industry
Maritime
A national maritime agency was targeted on January 22 using a compromised student email.
2026/07/10
Zimbra security issues have been exploited in attacks by Russian state-sponsored hackers.
Click on any entity below to view its context and source!
organisation
CVE-2025-66376
In March, Russia-linked APT group, likely
APT28
(aka UAC-0001, aka
Fancy Bear
,
Pawn Storm
,
Sofacy Group
,
Sednit
, BlueDelta, and
STRONTIUM
),
exploited
the vulnerability
CVE-2025-66376
in attacks against entities in Ukraine.
organisation
APT
In March, Russia-linked APT group, likely
APT28
(aka UAC-0001, aka
Fancy Bear
,
Pawn Storm
,
Sofacy Group
,
Sednit
, BlueDelta, and
STRONTIUM
),
exploited
the vulnerability
CVE-2025-66376
in attacks against entities in Ukraine.
threat_actor
APT28
In March, Russia-linked APT group, likely
APT28
(aka UAC-0001, aka
Fancy Bear
,
Pawn Storm
,
Sofacy Group
,
Sednit
, BlueDelta, and
STRONTIUM
),
exploited
the vulnerability
CVE-2025-66376
in attacks against entities in Ukraine.
More recently, in March, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch another Zimbra XSS flaw (CVE-2025-66376) exploited by hackers linked to the APT28 group (linked to Russia's military intelligence service) in
attacks targeting Ukrainian government entities
.
organisation
BlueDelta
In March, Russia-linked APT group, likely
APT28
(aka UAC-0001, aka
Fancy Bear
,
Pawn Storm
,
Sofacy Group
,
Sednit
, BlueDelta, and
STRONTIUM
),
exploited
the vulnerability
CVE-2025-66376
in attacks against entities in Ukraine.
organisation
State Hydrology Agency
A phishing email targeted Ukraine’s State Hydrology Agency, part of critical infrastructure, using a compromised student account to appear legitimate.
organisation
HTML
The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).
organisation
a Zimbra XSS
The message hid malicious JavaScript in the HTML body, exploiting a Zimbra XSS flaw (CVE-2025-66376).
infrastructure
10.1.19
Zimbra has released version 10.1.19 to fix a critical stored XSS vulnerability in its Classic Web Client, which is widely used to access Zimbra Collaboration.
The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking.
organisation
Operation GhostMail
Seqrite Labs tracked this campaign as Operation GhostMail.
organisation
the Classic Web Client
“The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened.
organisation
ZCS v10.1.19
If exploited, it could allow access to mailbox information, session data, or account settings.” reads the
advisory
“We strongly recommend all customers to upgrade to ZCS v10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements.”
Google’s Threat Analysis Group discovered the vulnerability.
"Any customer using the Classic Web Client should upgrade to ZCS v10.1.19 as soon as possible, as this issue only impacts the users of Classic Web Client,"
Zimbra warned
.
organisation
Google’s Threat Analysis Group
If exploited, it could allow access to mailbox information, session data, or account settings.” reads the
advisory
“We strongly recommend all customers to upgrade to ZCS v10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements.”
Google’s Threat Analysis Group discovered the vulnerability.
organisation
DNS
Then they exfiltrated stolen data via DNS and HTTPS.
organisation
HTTPS
Then they exfiltrated stolen data via DNS and HTTPS.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, XSS)
organisation
CVE-2025-48700
In April,
nonprofit security organization Shadowserver warned
that over 10,500 Zimbra Collaboration Suite (ZCS) instances exposed online were still vulnerable to ongoing attacks exploiting another cross-site scripting (XSS) security flaw (tracked as CVE-2025-48700).
organisation
Shadowserver
In April,
nonprofit security organization Shadowserver warned
that over 10,500 Zimbra Collaboration Suite (ZCS) instances exposed online were still vulnerable to ongoing attacks exploiting another cross-site scripting (XSS) security flaw (tracked as CVE-2025-48700).
organisation
ZCS
In April,
nonprofit security organization Shadowserver warned
that over 10,500 Zimbra Collaboration Suite (ZCS) instances exposed online were still vulnerable to ongoing attacks exploiting another cross-site scripting (XSS) security flaw (tracked as CVE-2025-48700).
organisation
the Classic UI
Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra's modern web client, which requires more resources when loading large email folders.
organisation
Ajax
Also known as the Classic UI, this Ajax-based webmail interface is faster than Zimbra's modern web client, which requires more resources when loading large email folders.
organisation
Google
"
While Zimbra has not yet tagged this vulnerability as exploited in the wild, the flaw was reported by Google's Threat Analysis Group, which frequently flags zero-day exploits deployed by state-backed hacking groups in cyberattacks targeting high-risk individuals, including opposition politicians, dissidents, and journalists.
organisation
Threat Analysis Group
"
While Zimbra has not yet tagged this vulnerability as exploited in the wild, the flaw was reported by Google's Threat Analysis Group, which frequently flags zero-day exploits deployed by state-backed hacking groups in cyberattacks targeting high-risk individuals, including opposition politicians, dissidents, and journalists.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
the beginning of 2026
Threat actors used a Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability to target the Synacor Zimbra Classic Web Client.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-66376
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
vulnerability
CVE-2025-68645
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
vulnerability
CVE-2020-7796
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
vulnerability
CVSS score of 8.8
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
vulnerability
CVSS score of 9.8
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
vulnerability
CVSS score of 7.2
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
attribution
Known Exploited
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
tactic
T1588.006 - Vulnerabilities
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
attribution
KEV
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
attribution
CVSS
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
attribution
PHP Remote File Inclusion Vulnerability
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
tactic
T1584.004 - Server
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
general_metric
1 CISA
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
general_metric
2 CISA
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [
1
,
2
,
3
] the following vulnerabilities to its
Known Exploited Vulnerabilities (KEV) catalog
:
CVE-2025-68645
(CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVE-2020-7796
(CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE-2025-66376
(CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
Tactical Metrics
Metrics
infrastructure
10.1.19
Software Version
Click for context!
Zimbra has released version 10.1.19 to fix a critical stored XSS vulnerability in its Classic Web Client, which is widely used to access Zimbra Collaboration.
The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking.
Intelligence Sources
Security Affairs
2026-07-10
BleepingComputer
2026-07-10
Zimbra urges customers to patch critical web client XSS flaw
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-11T06:31
Comprehensive Tactical Telemetry
Highly Correlated Entities
21x
organisation
Identified Entity
APT
entity
9x
attribution
Attributing Entity
the U.S. Cybersecurity and Infrastructure Security Agency
authority
6x
timeline
Temporal Reference
January 22
date
4x
vulnerability
Exploited CVE
CVE-2025-66376
cve
3x
threat actor
APT Group
APT28
actor
3x
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
3x
vulnerability
CVSS Score
9
score
2x
source region
Origin Country
Russian Federation
country
2x
target region
Target Country
Ukraine
country
2x
malware
Malware Payload
Sofacy
tool
2x
tactic
Cyber Operation Type
Phishing
tactic
2x
industry
Targeted Sector
Maritime
sector
2x
general metric
Cisa
1
cisa
2x
general metric
%
54
%
Contextual Telemetry
Context Block
3 METRICS
infrastructure
Software Version
10.1.19
version
campaign
Campaign
Operation GhostMail
operation
general metric
Collaboration Suite
10,500
collaboration suite
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.