CISA Orders Federal Agencies to Patch Actively Exploited Zimbra XSS Vulnerability (CVE‑2025‑66376)
What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive requiring all Federal Civilian Executive Branch agencies to remediate a high‑severity stored cross‑site scripting (XSS) flaw (CVE‑2025‑66376) in the Zimbra Collaboration Suite. The vulnerability is known to be actively exploited in the wild, allowing unauthenticated attackers to inject malicious JavaScript via crafted email HTML.
Why It Matters for TPRM —
- An exploited XSS flaw can hijack user sessions, expose confidential communications, and serve as a foothold for broader compromise of third‑party email platforms.
- Zimbra is deployed by thousands of private‑sector enterprises and government entities; a breach can cascade to partner organizations and supply‑chain data flows.
- Failure to patch may violate contractual security clauses and regulatory requirements for data protection.
Who Is Affected — Government agencies, large enterprises, SaaS providers, and any organization that hosts or consumes Zimbra Collaboration Suite for email and collaboration.
Recommended Actions —
- Verify whether any of your third‑party vendors or internal teams run Zimbra servers and confirm patch status.
- If Zimbra is used, apply the November 2025 patch immediately; if mitigation is unavailable, consider temporary migration to an alternative platform.
- Update your third‑party risk registers to reflect the elevated risk and require proof of remediation from affected suppliers.
Technical Notes — The flaw resides in the Classic UI’s handling of CSS @import directives within email HTML, enabling stored XSS that executes arbitrary JavaScript in the victim’s browser. Exploitation can lead to session hijacking, credential theft, and data exfiltration. CVE‑2025‑66376 was publicly disclosed and patched in November 2025, but active exploitation continues. Source: BleepingComputer