Security & Infrastructure Tools
Russian hackers exploit Zimbra flaw in Ukrainian govt attacks
Russian state‑backed hackers from APT28 are exploiting a newly patched Zimbra Collaboration Suite vulnerability (CVE‑2025‑66376) to target Ukrainian government entities, notably the State Hydrology Agency. The flaw allows unauthenticated attackers to execute remote code via stored cross‑site scripting in emails, enabling stealthy credential harvesting and data exfiltration over DNS and HTTPS. CISA has added this exploit to its catalog of active vulnerabilities and ordered federal agencies to patch within two weeks. Security researchers report that the attack chain uses a single email with obfuscated JavaScript, no attachments or links, exploiting the XSS flaw to gain access to users’ mailbox contents and backup 2FA codes. This is part of a broader trend of Russian‑state groups targeting Zimbra servers for espionage.
Zimbra Flaw Drives GhostMail Campaign Against Ukrainian Government
A high-severity vulnerability in Zimbra Collaboration Suite has become the focal point of a renewed wave of attacks attributed to APT28, the Russian state-backed hacking group linked to the GRU. The flaw, tracked as CVE-2025-66376, emerged from a stored cross-site scripting (XSS) issue that unauthenticated actors can exploit to achieve remote code execution and ultimately seize control of the affected Zimbra server and the user’s email account. The vulnerability was addressed with patches released in early November 2025, after researchers publicly identified the weakness and its exploitation in the wild.
On March 18, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-66376 to its Known Exploited Vulnerabilities catalog, flagging the issue as actively exploited and directing federal agencies to secure their systems within a two-week window under the Binding Operational Directive. While CISA did not disclose additional operational details about ongoing campaigns, the designation underscores the severity and persistence of the threat landscape facing email servers worldwide.
Security researchers at Seqrite Labs had previously highlighted how the vulnerability was weaponized by APT28 in targeted operations against Ukraine. One notable victim in this phishing drive was the Ukrainian State Hydrology Agency, an agency tasked with critical navigational and hydrographic support. Seqrite’s analysis described the phishing chain as unusually self-contained: the email’s HTML body carried an obfuscated JavaScript payload that triggers the CVE-2025-66376 flaw when opened in a vulnerable Zimbra webmail session. There were no attachments, suspicious links, or macros to trigger alarm bells—the attack relied entirely on the HTML content of a single message.
Once activated, the script operates covertly within the browser and begins to harvest credentials, session tokens, backup two-factor authentication codes, saved browser passwords, and mailbox contents spanning roughly the prior 90 days. The stolen data is exfiltrated through both DNS and HTTPS channels, enabling the attackers to siphon large volumes of sensitive information without triggering conventional attachment- or link-based alert signals.
Zimbra’s popularity as a collaboration and mail platform—serving hundreds of millions of users, including a broad swath of government agencies and businesses—continues to make it a lucrative target for state-sponsored threat actors. The GhostMail operation is one example in a longer pattern: Russian-linked groups have repeatedly exploited Zimbra vulnerabilities to breach email portals and access communications across NATO-aligned organizations and other sensitive networks.
Historical context is instructive. In early 2023, the Winter Vivern group leveraged a different Zimbra XSS flaw to monitor NATO-associated networks and officials, demonstrating that the platform remains a constant battleground for espionage campaigns. The threat landscape expanded into 2024 when the Cozy Bear/APT29 group, tied to Russia’s SVR, conducted mass-scale attacks on vulnerable Zimbra and related systems, using previously known techniques to siphon credentials and access broader networks. These episodes collectively illustrate how Zimbra’s ubiquity, coupled with under- or unpatched instances, continues to attract sophisticated adversaries seeking access to government and enterprise communications.
As the situation unfolds, the pattern remains clear: even patched vulnerabilities can remain exploitable in the wild for extended periods if systems lag behind updates, or if attackers discover novel ways to weaponize existing flaws within the broader email ecosystem. The GhostMail activity serves as a reminder of the ongoing risk to government and critical infrastructure entities that rely on Zimbra for routine communication and coordination, and it underscores the importance of timely vulnerability management in safeguarding sensitive domains from well-resourced, state-backed adversaries.