The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting the Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog.
Federal agencies and organizations using the platform must apply the necessary updates by April 1, 2026, to mitigate active exploitation risks.
Exploited Zimbra Collaboration Suite Flaw
Tracked as CVE-2025-66376, this high-severity flaw involves a stored Cross-Site Scripting (XSS) vulnerability within the Zimbra Classic UI.
The issue is rooted in how the software processes malicious email content. Attackers can actively abuse Cascading Style Sheets (CSS) @import directives embedded in HTML emails to bypass standard input filters.
If a target opens a specially crafted message, the malicious script executes within the context of their current session.
This allows threat actors to access sensitive emails, hijack user sessions, and potentially compromise the wider collaboration environment.
The exact deployment of this vulnerability in active ransomware campaigns remains unknown, but its inclusion in the CISA KEV list indicates verified, active exploitation in the wild.
Synacor, the vendor behind Zimbra, has addressed this vulnerability in their latest patch releases.
The security update resolves the XSS flaw by upgrading the AntiSamy HTML filtration component to version 1.7.8 and stripping out the vulnerable legacy code.
Administrators must update to one of the patched versions to secure their systems.
- Zimbra Collaboration Suite version 10.1.13 requires immediate installation for current branch users.
- Zimbra Collaboration Suite version 10.0.18 serves as a critical security update for legacy deployments.
CISA strongly advises organizations to apply these vendor mitigations immediately or discontinue using the product entirely if updates cannot be deployed.
Synacor rates the deployment risk for this patch as medium, meaning administrators should follow standard staging and testing procedures before pushing the update to production servers.
Additional Security and System Updates
Beyond patching CVE-2025-66376, the latest Zimbra updates introduce several underlying security and usability enhancements.
These additions aim to improve overall system stability and align with modern administrative needs.
- The update strengthens Transport Layer Security (TLS) handling in accordance with modern RFC guidelines.
- Administrators gain enhanced Amazon S3 data management and cleanup processes for mailbox migrations.
- The new Ignite smart email search provides instant suggestions alongside LDAP-supported external email warnings.
- Users can now restore deleted emails, contacts, and files directly from the Trash folder using enhanced recovery options.
- The updated Zimbra Connector for Outlook (ZCO) now features full compatibility with Outlook 2024.
- Synacor will maintain Exchange Web Services (EWS) compatibility for legacy Outlook clients until October 2026.
Administrators must note that Zimbra version 10.0 officially reached its End of Life (EOL) on December 31, 2025.
While version 10.0.18 provides critical security fixes for this specific CVE, organizations still running the 10.0 branch must urgently plan their migration to the fully supported 10.1 series.
Moving to version 10.1 ensures uninterrupted access to future security patches and threat mitigations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
