CISA orders federal agencies to patch actively exploited Zimbra XSS flaw
3 min. read 
Published on
CISA has added CVE-2025-66376, a stored cross-site scripting flaw in Zimbra Collaboration Suite, to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to fix it by April 8, 2026. The agency announced the addition on March 18, 2026, which triggers remediation under Binding Operational Directive 22-01.
The vulnerability affects Zimbra Collaboration 10.0 before 10.0.18 and 10.1 before 10.1.13. Zimbra says the bug sits in the Classic UI and allows abuse of CSS @import directives inside HTML email, which can lead to stored XSS. Zimbra patched the flaw in versions 10.0.18 and 10.1.13 in November 2025.
CISA did not publish technical details about the attacks, but the agency’s KEV listing confirms the flaw has been exploited in the wild. That matters because stored XSS in webmail can create a path to session hijacking, malicious JavaScript execution, mailbox manipulation, or data theft inside a user’s mail environment. The impact description here is an inference from the nature of stored XSS and the affected product, not a direct CISA quote.
CISA told agencies to apply vendor mitigations, follow relevant cloud guidance under BOD 22-01, or discontinue use of the product if mitigations are unavailable. The order applies directly to Federal Civilian Executive Branch agencies, but CISA also urged all organizations to treat the bug as urgent because these types of vulnerabilities are common attack vectors and pose serious risk to enterprise environments.
What admins need to know
| Item | Details |
|---|---|
| CVE | CVE-2025-66376 |
| Product | Synacor Zimbra Collaboration Suite |
| Bug type | Stored XSS in Classic UI |
| Attack method | CSS @import directives in HTML email |
| Affected versions | 10.0 before 10.0.18 and 10.1 before 10.1.13 |
| Fixed versions | 10.0.18 and 10.1.13 |
| KEV added | March 18, 2026 |
| Federal remediation deadline | April 8, 2026 |
Why this bug matters
Zimbra has a long history as a target in government and enterprise intrusions, so an actively exploited flaw in its mail interface deserves attention beyond the federal deadline. Stored XSS in a collaboration platform can hit the exact place where users read untrusted content every day, which gives attackers a practical route to exploit trust and persistence inside email workflows.
This also lands in a broader pattern. Zimbra vulnerabilities have repeatedly appeared in targeted campaigns over the last few years, and attackers continue to treat email platforms as high-value entry points because they combine identity, communications, and internal data in one place. That general trend is well documented in public reporting and vendor advisories, even if CISA has not named the actor behind these specific attacks.
What organizations should do now
- Upgrade to Zimbra 10.0.18 or 10.1.13, depending on your release track.
- Prioritize any exposed or internet-facing Zimbra deployments first. This is a best-practice inference based on active exploitation status.
- Review suspicious HTML emails and mailbox activity for signs of abuse in Classic UI sessions. This is an operational recommendation derived from the XSS mechanism.
- Treat any unpatched federal deployment as out of compliance after April 8, 2026.
FAQ
It is a stored XSS flaw in Zimbra Collaboration Suite Classic UI that can be triggered through CSS @import directives in HTML email.
Zimbra Collaboration 10.0 before 10.0.18 and 10.1 before 10.1.13.
Yes. CISA added it to the KEV catalog on March 18, 2026, which means the agency has evidence of active exploitation.
By April 8, 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages