A Russian state-sponsored threat actor has exploited a high-severity XSS vulnerability in Zimbra Collaboration in attacks against Ukraine, according to SecurityWeek. The flaw, tracked as CVE-2025-66376 (CVSS 7.2) affects the Classic UI and was addressed in November 2025 in Zimbra versions 10.1.13 and 10.0.18, with Zimbra noting that insufficient sanitisation of CSS content could allow inline scripts to be executed when a recipient opens a crafted email.
Seqrite Labs reports that Russian threat actors have used the vulnerability in targeted Ukraine operations, deploying JavaScript in the email body that detonates when opened to harvest credentials, session tokens, 2FA codes, browser-saved passwords, and mailbox contents from the preceding 90 days, exfiltrated over DNS and HTTPS. The operation, named Operation GhostMail by Seqrite Labs, is attributed to APT28, also tracked as Forest Blizzard, Fancy Bear, GruesomeLarch, and Sofacy. CISA added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch within two weeks.