Cyber Resilience

CVE-2025-66376

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 January 2026

Published
05 January 2026
Modified
18 March 2026
KEV Added
18 March 2026
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.1201 95.6th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2025-66376 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in the Classic UI of Zimbra Collaboration Suite (ZCS) versions 10 before 10.0.18 and 10.1 before 10.1.13. It arises from the improper handling of Cascading Style Sheets (CSS) @import directives embedded in HTML email messages, allowing malicious payloads to be stored and executed when rendered in the Classic UI.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 base score of 7.2 (S:C/C:L/I:L/A:N). By sending a crafted HTML email containing a malicious CSS @import directive, the attacker can store the payload server-side. When victims access the email via the affected Classic UI, the XSS executes in the context of the Zimbra application, potentially enabling session hijacking, data theft, or further compromise with low confidentiality and integrity impacts due to the changed scope.

Zimbra's security advisories and release notes for versions 10.0.18 and 10.1.13 document fixes for this issue, recommending immediate upgrades to these patched releases. Additional guidance is available in the Zimbra Security Center, Security Advisories, and Responsible Disclosure Policy on their wiki.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

CWE(s)
KEV Date Added
18 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in public-facing Zimbra webmail (T1190) allows unauthenticated attackers to send malicious HTML emails that execute JavaScript in victim browsers, enabling session hijacking via web session cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27915Same product: Synacor Zimbra Collaboration Suiteboth on KEV
CVE-2025-68645Same product: Synacor Zimbra Collaboration Suiteboth on KEV
CVE-2025-25064Same product: Synacor Zimbra Collaboration Suite
CVE-2026-33373Same product: Synacor Zimbra Collaboration Suite
CVE-2025-68461Same product class: email / collaborationboth on KEV
CVE-2026-42897Same product class: email / collaborationboth on KEV
CVE-2023-5631Same product class: email / collaborationboth on KEV
CVE-2022-41082Same product class: email / collaborationboth on KEV
CVE-2021-31207Same product class: email / collaborationboth on KEV
CVE-2022-41040Same product class: email / collaborationboth on KEV

Affected Assets

synacor
zimbra collaboration suite
10.0.0 — 10.0.18 · 10.1.0 — 10.1.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the stored XSS vulnerability by requiring timely application of Zimbra patches in versions 10.0.18 and 10.1.13 that fix improper CSS @import handling.

prevent

Prevents XSS execution by filtering malicious CSS @import directives in HTML email outputs when rendered in the Classic UI.

prevent

Validates and sanitizes incoming HTML email content to block storage of malicious CSS @import directives on the server-side.

References