Ethical Hacking News
Russian state-sponsored threat groups have been exploiting a previously patched vulnerability in the Zimbra email and collaboration software suite, targeting Ukrainian government entities with a phishing campaign. Organizations are urged to patch the CVE-2025-66376 vulnerability and implement robust security measures to protect against future attacks.
Russian hackers are exploiting a previously patched vulnerability in Zimbra Collaboration Suite (ZCS) as part of a phishing campaign targeting Ukrainian government entities. The vulnerability, CVE-2025-66376, allows unauthenticated attackers to gain remote code execution and compromise the Zimbra server and target's email account. APT28 hackers are using malicious messages with obfuscated JavaScript payloads that exploit the vulnerability when the recipient opens the email in a vulnerable Zimbra webmail session. The attack exfiltrates credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents over DNS and HTTPS. This is not the first time that Zimbra security flaws have been targeted by Russian state-sponsored threat groups, with previous attacks in February 2023 and October 2024. Zimbra is a widely popular software suite that makes it an attractive target for hackers, highlighting the ongoing threat posed by Russian state-sponsored threat groups to global cybersecurity. Cybersecurity experts urge organizations to patch the CVE-2025-66376 vulnerability and implement robust security measures to protect against future attacks.
Russian hackers have been exploiting a previously patched vulnerability in the popular email and collaboration software suite, Zimbra Collaboration Suite (ZCS), as part of a phishing campaign targeting Ukrainian government entities. The attack, which has been attributed to the state-backed threat group APT28, also known as Fancy Bear or Strontium, is believed to have been launched in recent days.
The vulnerability, tracked as CVE-2025-66376 and patched in early November, stems from a stored cross-site scripting (XSS) that unauthenticated attackers can exploit to gain remote code execution (RCE) and compromise the Zimbra server and the target's email account. According to Seqrite Labs, a security research firm, the APT28 hackers' malicious messages delivered an obfuscated JavaScript payload that exploits the CVE-2025-66376 vulnerability when the recipient opens the email in a vulnerable Zimbra webmail session.
The script executes silently in the browser and begins harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and the contents of the victim's mailbox going back 90 days with all the data exfiltrated over both DNS and HTTPS. The attack chain lives entirely inside the HTML body of a single email, with no malicious attachments or suspicious links.
This is not the first time that Zimbra security flaws have been targeted in attacks by Russian state-sponsored threat groups. In February 2023, the Winter Vivern cyberespionage group used another reflected XSS exploit to breach Zimbra webmail portals and spy on the communications of NATO-aligned organizations and persons, including government officials, military personnel, and diplomats. In October 2024, U.S. and U.K. cyber agencies also warned that APT29 hackers linked to Russia's Foreign Intelligence Service (SVR) were attacking vulnerable Zimbra servers "at a mass scale," exploiting a vulnerability previously used to steal email account credentials.
Zimbra is widely popular among hundreds of millions of people, including hundreds of government agencies and thousands of businesses worldwide. However, its widespread adoption also makes it an attractive target for hackers seeking to exploit vulnerabilities in the software suite. The recent attack highlights the ongoing threat posed by Russian state-sponsored threat groups to global cybersecurity.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of vulnerabilities exploited in the wild and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within two weeks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. This directive requires FCEB agencies to prioritize the implementation of security patches for vulnerable systems.
In light of this latest attack, cybersecurity experts are urging organizations to take immediate action to patch the CVE-2025-66376 vulnerability and implement robust security measures to protect against future attacks. The recent incident serves as a reminder that even previously patched vulnerabilities can be exploited by determined hackers if left unaddressed.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Exploit-Zimbra-Flaw-to-Target-Ukrainian-Government-Entities-ehn.shtml
Published: Thu Mar 19 10:40:47 2026 by llama3.2 3B Q4_K_M
