Overview
Actively Exploited. CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). The flaw exists in the Classic Web Client UI, where an attacker can craft a malicious HTML email containing CSS @import directives that are not properly sanitized. When a victim views the email in the Classic UI, the malicious CSS is loaded and executed in the context of the victim's authenticated session, enabling arbitrary JavaScript execution.
Zimbra has a long history of XSS vulnerabilities in the Classic Web Client, with numerous entries in the CISA KEV catalog — making Zimbra one of the most frequently targeted email platforms by advanced threat actors.
CVSS Scoring Discrepancy
This vulnerability has two different CVSS 3.1 assessments from NVD:
| Source | Score | Severity | Vector |
|---|---|---|---|
| NIST | 6.1 | MEDIUM | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| MITRE (CNA) | 7.2 | HIGH | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
The key difference is User Interaction: NIST rates it as Required (the victim must open the email), while MITRE rates it as None. MITRE's assessment may reflect scenarios where CSS @import directives are automatically fetched by the rendering engine without explicit user action. CISA's inclusion in the KEV catalog underscores real-world severity regardless of scoring differences. This page uses the NIST score (6.1).
Vulnerability Description
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML email message.
The Classic Web Client renders HTML emails with insufficient sanitization of CSS content. Specifically, @import rules within <style> tags or inline CSS are not properly stripped. An attacker can craft a malicious email including CSS @import directives pointing to attacker-controlled resources. When the email is rendered, the browser fetches and processes the external CSS, which can be leveraged to:
- Exfiltrate data — use CSS-based exfiltration techniques to leak email content or CSRF tokens
- Execute JavaScript — in conjunction with other browser behaviors or Zimbra-specific rendering quirks
- Hijack sessions — steal authentication tokens or session cookies
- Perform actions — trigger Zimbra operations (forwarding rules, account changes) on behalf of the victim
The attack is stored — the malicious payload persists in the email and triggers every time any user views it in the Classic UI — making it particularly dangerous for shared mailboxes and distribution lists.
Affected Products
| Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| ZCS 10.0.x (Daffodil) | 10.0.0 – 10.0.17 | 10.0.18 (Nov 6, 2025) |
| ZCS 10.1.x | 10.1.0 – 10.1.12 | 10.1.13 |
Zimbra 10.0 reached End of Life on December 31, 2025 — customers on the 10.0.x branch should migrate to the actively supported 10.1.x branch. Older unsupported versions (9.x, 8.x) are likely also vulnerable.
Zimbra's History of Exploited XSS Vulnerabilities
Zimbra's Classic Web Client has been a recurring target for state-sponsored and APT groups. Several Zimbra XSS CVEs have been added to the CISA KEV catalog:
| CVE | Year | Description |
|---|---|---|
| CVE-2022-24682 | 2022 | Calendar XSS in Classic HTML client — exploited by Volexity-reported campaigns |
| CVE-2023-37580 | 2023 | Classic Web Client reflected XSS — exploited zero-day, reported by Google TAG |
| CVE-2024-27443 | 2024 | Calendar invite XSS — reported by Vietnam NCSC |
| CVE-2024-45519 | 2024 | Postjournal unauthenticated RCE — CVSS 9.8, massively exploited |
| CVE-2025-27915 | 2025 | Stored XSS in Classic Web Client |
| CVE-2025-66376 | 2025 | CSS @import stored XSS in Classic UI (this vulnerability) |
Organizations using Zimbra should treat any Classic UI XSS as a high-priority remediation target, regardless of CVSS score, due to the demonstrated exploitation history.
Remediation
- Upgrade Zimbra to version 10.1.13 (or 10.0.18 if still on the 10.0.x branch).
- Migrate off Classic UI — consider migrating users to the Modern Web Client, which has a different rendering engine and is not affected by Classic UI–specific XSS issues.
- Disable Classic UI — if possible, disable the Classic Web Client via Zimbra admin settings to eliminate the attack surface entirely.
Detection: Review email logs for inbound HTML emails containing @import directives in <style> tags or inline CSS. Monitor for unexpected account changes (forwarding rules, delegate access, password resets) that may indicate session hijacking. Check web server access logs for requests to unusual external CSS resources originating from the Zimbra Classic UI.
Reported by NCSC-FI (National Cyber Security Centre Finland).
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-66376 |
| Vendor / Product | Synacor — Zimbra Collaboration Suite |
| NVD Published | 2026-01-05 |
| NVD Last Modified | 2026-03-18 |
| CVSS 3.1 Score | 6.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-79 |
| CISA KEV Added | 2026-03-18 |
| CISA KEV Deadline | 2026-04-01 |
| Known Ransomware Use | No |
| Affected Versions | ZCS 10.0.x before 10.0.18; ZCS 10.1.x before 10.1.13 |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-11-06 | Zimbra releases ZCS 10.0.18 with fix for this vulnerability |
| 2026-01-05 | CVE-2025-66376 published on NVD |
| 2026-03-18 | Added to CISA Known Exploited Vulnerabilities catalog — confirms active exploitation |
| 2026-04-01 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-66376 | Vulnerability Database |
| Zimbra Security Advisories | Vendor Advisory |
| Zimbra ZCS 10.0.18 Release Notes | Vendor Advisory |
| CISA KEV Catalog Entry | US Government |