CISA has added CVE‑2025‑66376 to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability affects Synacor’s Zimbra Collaboration Suite (ZCS) and is described as a “Synacor Zimbra Collaboration Suite (ZCS) Cross‑Site Scripting Vulnerability”.
The flaw is a cross‑site scripting (XSS) issue in the Classic UI of ZCS. An attacker can inject malicious Cascading Style Sheets (CSS) @import directives into HTML‑formatted email bodies. When a victim views the crafted message in the Classic UI, the injected CSS is processed, allowing execution of arbitrary script code in the context of the user’s session. The CVSS v3.1 base score is 7.2, classifying the issue as HIGH. No public patch or advisory has been released at the time of writing, and Synacor has not provided a remediation package.
Because the entry appears in the KEV list, active exploitation is confirmed. CISA has not linked the vulnerability to any known ransomware campaign, but the presence of a working exploit makes the risk to organisations that run ZCS significant. Agencies are required to address the issue by 1 April 2026, the remediation deadline set by CISA.
CISA’s required action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”. Federal Civilian Executive Branch (FCEB) agencies must comply, and all other public and private organisations should verify whether they run the affected Classic UI component and act accordingly.
For full technical details, see the NVD entry for CVE‑2025‑66376 and the CISA KEV catalogue.