CVE-2025-66376: Stored Cross-Site Scripting via CSS @import in Zimbra ZCS Classic UI

CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability located within the HTML email rendering engine of the Zimbra Collaboration Suite (ZCS) Classic UI. The vulnerable component fails to properly neutralize Cascading Style Sheets (CSS) directives embedded within incoming email messages. This allows an unauthenticated remote attacker to inject malicious code that persists on the server and executes client-side when the victim accesses the message.

The attack surface is exposed via the standard email delivery mechanism (SMTP). The Classic UI processes and renders the HTML body of the email directly in the user's browser. Because the application does not systematically strip or encode specific CSS features, attackers can leverage the <style> tag to introduce untrusted external resources.

Execution occurs entirely within the context of the victim's authenticated webmail session. The vulnerability requires no user interaction beyond the normal action of opening a received email. Once the payload executes, it inherits the permissions of the authenticated user, allowing it to interface directly with the Zimbra application infrastructure.

State-sponsored threat actors aggressively exploit this vulnerability. Research from Seqrite Labs identifies APT28 utilizing this flaw in an espionage campaign dubbed "Operation GhostMail" targeting Ukrainian government infrastructure. The active exploitation status prompted the Cybersecurity and Infrastructure Security Agency (CISA) to mandate remediation for federal agencies.

The fundamental flaw resides in the Zimbra Classic UI's HTML sanitization engine. The application applies filtering rules to strip dangerous HTML elements like <script> or <iframe>. However, the engine implements insufficient introspection into the content of allowed tags, specifically the <style> tag.

The sanitizer fails to parse and neutralize the CSS @import directive. When the server processes an incoming HTML email containing a <style> block with an @import rule, the sanitization logic permits the block to pass through unmodified. The payload is subsequently stored in the user's mailbox.

When the victim's browser renders the email content, the CSS parser encounters the @import directive and interprets it as a legitimate instruction to fetch an external stylesheet. Attackers supply a URL pointing to attacker-controlled infrastructure or utilize a data:text/css;base64 URI to embed the payload directly within the style declaration.

Through specific rendering quirks or compatibility modes in target browsers, the fetched or decoded CSS triggers JavaScript execution. This typically involves the use of legacy CSS properties like expression() or leveraging browser-specific behaviors that evaluate external stylesheet content as executable script, bypassing the initial HTML-based constraints entirely.

Attackers initiate the exploit chain by transmitting a specially crafted HTML email to the target Zimbra server. This email contains no attachments and no standard hyperlinks, which allows it to evade signature-based detection mechanisms and traditional secure email gateways. The payload is entirely self-contained within the HTML structure of the message body.

Upon the victim opening the email in the ZCS Classic UI, the injected @import rule forces the browser to load a Stage-1 JavaScript loader. The browser executes this loader silently in the background, without presenting any visible indicators of compromise to the user.

The Stage-1 loader subsequently retrieves a more complex "Browser Stealer" script. This Stage-2 payload is designed specifically to interact with the Zimbra Simple Object Access Protocol (SOAP) API. Because the script executes within the context of the Zimbra webmail domain, it possesses access to the victim's active session cookies and authentication tokens.

The Browser Stealer programmatically issues SOAP API requests, such as GetMsgRequest and GetContactsRequest, to harvest data. The script retrieves entire email threads, file attachments, and address book entries. Finally, the payload encodes the stolen data and exfiltrates it to attacker-controlled infrastructure using DNS tunneling or HTTP POST requests.

Historically, the Zimbra Classic UI relied on an HTML-centric blocklist approach for content sanitization. The logic analyzed the Document Object Model (DOM) structure of the incoming email, neutralizing explicit script execution vectors. It explicitly permitted the <style> tag to ensure that HTML emails maintained their intended visual formatting.

The vulnerability exists because the application did not implement a dedicated CSS parser. While the HTML tags were filtered, the text content inside the <style> node was treated opaquely. The sanitizer did not construct an Abstract Syntax Tree (AST) of the CSS rules, preventing it from recognizing directives like @import or url() that orchestrate secondary resource fetching.

> [!NOTE]
> The patch introduces a dedicated CSS parsing phase that aggressively evaluates the contents of all inline styles and `<style>` blocks.

In Zimbra versions 10.0.18 and 10.1.13, the vendor implemented a comprehensive fix by updating the sanitization pipeline. The updated engine analyzes the internal syntax of the CSS. It explicitly identifies and strips out @import declarations, url() functions pointing to external resources, and legacy expression() properties.

This remediation strategy represents a shift from superficial HTML filtering to context-aware validation. By parsing the CSS directly, the application effectively neutralizes variant attacks that attempt to obfuscate the external stylesheet loads using encoding techniques or CSS escape sequences.

Successful exploitation of CVE-2025-66376 yields arbitrary JavaScript execution within the victim's authenticated webmail session. The attacker inherits the full permissions of the user, enabling the silent extraction of sensitive communications, corporate intellectual property, and internal contact directories.

The primary consequence is a complete breach of confidentiality for the targeted mailbox. The malicious script utilizes the Zimbra SOAP API to systematically download email contents and attachments. Furthermore, the extraction of session credentials allows the attacker to maintain persistent access to the account from external infrastructure, completely bypassing the need for the victim's browser.

The CVSS v3.1 base score of 7.2 categorizes this vulnerability as High severity. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) accurately reflects the network-based attack vector, low complexity, and the fact that an attacker requires no prior authentication to deliver the payload. The scope is changed because the attack occurs within the client's browser environment.

The operational impact is severe, as evidenced by the EPSS score of 0.28822 (96.50th percentile) and active exploitation by APT28. Compromised webmail accounts frequently serve as initial footholds for broader network intrusion, facilitating lateral phishing campaigns against internal employees or external partners using a trusted sender identity.

The definitive remediation for CVE-2025-66376 is to update the Zimbra Collaboration Suite to patched versions. System administrators must upgrade ZCS 10.0.x deployments to version 10.0.18, and ZCS 10.1.x deployments to version 10.1.13. These releases incorporate the updated HTML and CSS sanitization logic required to neutralize the @import vector.

For organizations unable to deploy the patch immediately, administrators should instruct all users to transition to the Modern UI. The Modern UI utilizes a distinct rendering engine and component architecture that is not susceptible to this specific CSS parsing failure. Disabling access to the Classic UI entirely provides an effective temporary mitigation.

Security operations teams must implement robust network-level monitoring to detect active exploitation attempts. Analysts should inspect HTTP and HTTPS traffic for incoming emails containing <style> tags with @import rules, particularly those employing data: URIs. Additionally, monitoring outbound traffic from client subnets for anomalous DNS queries or POST requests to unrecognized domains can identify data exfiltration phases.

Application-level auditing is crucial for post-compromise detection. Administrators should analyze Zimbra access logs for suspicious SOAP API activity. High-frequency API calls such as GetMsgRequest or GetContactsRequest originating from a single user session immediately after opening an email constitute a high-confidence indicator of compromise.