Full Report
CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS). [...]
Analysis Summary
# Vulnerability: Zimbra Collaboration Suite Stored XSS via CSS @import
## CVE Details
- **CVE ID:** CVE-2025-66376
- **CVSS Score:** High Severity (Specific numerical score pending NVD finalization)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** Zimbra Collaboration Suite (ZCS)
- **Versions:** Versions prior to 10.1.13 and 10.0.18.
- **Configurations:** Systems utilizing the "Classic UI" web interface.
## Vulnerability Description
CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability located in the Zimbra Classic UI. The flaw stems from insufficient sanitization of Cascading Style Sheets (CSS) `@import` directives within HTML-formatted emails. A remote, unauthenticated attacker can send a specially crafted email containing malicious CSS that bypasses security filters. When a user views the email in the Classic UI, the malicious payload allows the execution of arbitrary JavaScript in the context of the user's browser session.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV listing).
- **Complexity:** Low.
- **Attack Vector:** Network (Remote/Email-based).
## Impact
- **Confidentiality:** High (Potential theft of session cookies, authentication tokens, and sensitive email content).
- **Integrity:** High (Ability to execute actions on behalf of the user, such as modifying email filters or settings).
- **Availability:** Low (Standard XSS impact).
## Remediation
### Patches
Synacor released security updates in November 2025 to address this flaw. Administrators should upgrade to:
- **Zimbra 10.1.13** or later
- **Zimbra 10.0.18** or later
### Workarounds
- Ensure users transition from the "Classic UI" to the "Modern UI" if patching cannot be performed immediately, as the flaw specifically targets the Classic interface.
- Implement strict email security gateway filtering to block suspicious CSS `@import` directives in incoming HTML mail.
## Detection
- **Indicators of Compromise:** Look for HTML emails containing unconventional CSS `@import` strings or external URLs pointing to suspicious `.css` or `.js` files.
- **Detection methods and tools:** Monitoring web server logs for unusual JavaScript execution patterns or unauthorized changes to user account settings (e.g., new mail forwarders or filters). Use vulnerability scanners to verify the ZCS version level.
## References
- **Vendor Advisory:** [https[:]//blog[.]zimbra[.]com/2025/11/patch-release-update-zimbra-10-1-13-10-0-18/](https[:]//blog[.]zimbra[.]com/2025/11/patch-release-update-zimbra-10-1-13-10-0-18/)
- **CISA KEV Catalog:** [https[:]//www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog](https[:]//www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog)
- **NVD Entry:** [https[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2025-66376](https[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2025-66376)