CISA adds actively exploited Zimbra flaw to KEV, urges rapid patching

CISA has added a Zimbra Collaboration Suite vulnerability to its Known Exploited Vulnerabilities catalog and says the flaw is under active attack. The bug, tracked as CVE-2025-66376, is a stored cross-site scripting issue in Zimbra’s Classic user interface, and federal agencies must secure affected systems by April 1, 2026.

For organizations running Zimbra, the immediate answer is to patch. Zimbra says the issue is fixed in versions 10.1.13 and 10.0.18, while CISA’s KEV entry lists those same patched versions as the remediation path.

The vulnerability affects the Classic UI and can trigger when a user opens a specially crafted email. Zimbra’s advisory says attackers can abuse CSS @import directives embedded in email HTML, which can then execute in the victim’s active session inside the Classic interface.

What CISA is warning about

CISA’s KEV catalog identifies CVE-2025-66376 as a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite. The agency added it after evidence of active exploitation, which means defenders should treat this as a live threat rather than a theoretical one.

The risk comes from email delivery and session context. If a target opens a malicious message in the Classic UI, an attacker may be able to run script in that user’s session, which can expose mailbox data or let the attacker perform actions as the victim. Zimbra’s own wording around the flaw supports that attack chain.

Affected and fixed versions

Zimbra’s security advisory and patch release notes both point to 10.1.13 and 10.0.18 as the releases that address CVE-2025-66376.

Why this flaw matters

Stored XSS bugs in webmail products can become serious very quickly because the attack arrives through normal email workflows. Users do not need to download a file or run an attachment if the exploit triggers when the message is rendered in a vulnerable interface. In this case, the Classic UI is the exposed component named by Zimbra.

That makes this more than a routine patch. CISA’s decision to place the flaw in KEV means the agency has enough evidence to say attackers are already using it in the wild. For security teams, that is the strongest signal that patching should move to the front of the queue.

What admins should do now

• Upgrade Zimbra 10.1 deployments to 10.1.13 or later.
• Upgrade Zimbra 10.0 deployments to 10.0.18 or later.
• Reduce or retire use of the Classic UI where possible.
• Review webmail access logs and mail activity for suspicious behavior.
• Check for unusual session activity tied to mailbox access.
• Prioritize migration off unsupported branches.

Federal deadline and support status

CISA’s KEV entry sets an April 1, 2026 remediation deadline for Federal Civilian Executive Branch agencies. While that deadline applies directly to U.S. federal agencies, private organizations usually treat KEV deadlines as a strong urgency signal because the exploitation has already been observed.

There is also a lifecycle issue here. Zimbra said version 10.0 reached end of life on December 31, 2025, and customers should migrate to 10.1 for continued updates. That means patching to 10.0.18 may reduce immediate exposure, but it does not solve the long-term support problem if an organization still relies on the 10.0 branch.

Quick summary

FAQ