CISA Confirms Active Exploitation of Zimbra XSS Flaw (CVE-2025-66376), Adds to KEV Catalog

Executive Summary

On March 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-66376, a cross-site scripting (XSS) vulnerability in the Synacor Zimbra Collaboration Suite (ZCS), to its Known Exploited Vulnerabilities (KEV) Catalog. The inclusion in the KEV catalog is a definitive confirmation that the vulnerability is being actively used in cyberattacks. XSS flaws like this one can enable attackers to execute malicious scripts in a victim's browser, leading to session hijacking, credential theft, or redirection to malicious sites. In accordance with Binding Operational Directive (BOD) 22-01, federal agencies are mandated to patch this vulnerability by a specified deadline.

Vulnerability Details

• CVE ID: CVE-2025-66376
• Product: Synacor Zimbra Collaboration Suite (ZCS)
• Vulnerability Type: Cross-Site Scripting (XSS)
• Impact: Allows an attacker to inject and execute malicious scripts in a user's web browser within the context of the Zimbra web client.

Cross-site scripting vulnerabilities in web-based collaboration platforms like Zimbra are particularly dangerous. An attacker could exploit this by sending a specially crafted email or calendar invite. When the victim views the item, the malicious script executes in their browser.

Exploitation Status

CISA's action on March 18, 2026, confirms that CVE-2025-66376 is being actively exploited. While details of the attackers or their campaigns were not provided, email platforms are frequent targets for state-sponsored espionage groups and cybercriminals seeking to gain access to sensitive communications or use compromised accounts for further phishing campaigns.

Impact Assessment

Successful exploitation of this XSS vulnerability can lead to several negative outcomes:

• Session Hijacking: The attacker can steal the victim's session cookie, allowing them to take over the user's logged-in session and access their email, contacts, and calendar without needing a password.
• Credential Theft: The malicious script can present a fake login form to trick the user into re-entering their credentials, which are then sent to the attacker.
• Data Theft: The script can read the contents of the user's mailbox and exfiltrate sensitive information.
• Further Attacks: A compromised email account can be used to launch highly credible phishing attacks against the user's contacts or other employees within the organization (T1566.002 - Spearphishing Link).

Detection Methods

• Web Application Firewall (WAF): A properly configured WAF may be able to detect and block malicious scripts embedded in HTTP requests targeting the Zimbra server.
• Log Analysis: Review Zimbra and web server logs for unusual or malformed requests that may indicate XSS probing or exploitation attempts.

Remediation Steps

1. Apply Patches: Organizations using Zimbra Collaboration Suite must prioritize the application of security patches provided by Synacor/Zimbra that address CVE-2025-66376.
2. Review KEV Catalog: CISA strongly urges all public and private sector organizations to subscribe to and regularly review the KEV catalog. Vulnerabilities on this list represent active and significant threats and should be treated as the highest priority for patching.
3. Harden Web Client: Ensure that all security headers and configurations for the web server hosting Zimbra are properly implemented to help mitigate the impact of XSS flaws.