APT28 Exploits Zimbra Vulnerability in Ongoing Attacks Against Ukraine

APT28 Exploits Zimbra Vulnerability in Ongoing Attacks Against Ukraine

First seen 19 Mar 2026, 07:42 UTC BleepingcomputerThehackernewsHeise.DeGbhackersGround.News+2 86% similarity 80.8

Article Content

Browse articles
ThreatCluster

Russian state-backed hackers from APT28 are actively exploiting a high-severity stored cross-site scripting vulnerability (CVE-2025-66376) in the Zimbra Collaboration Suite (ZCS) to target Ukrainian government entities. The flaw allows unauthenticated attackers to execute remote code and harvest sensitive information from compromised email accounts. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated that U.S. federal agencies secure their servers by April 1, 2026. The attacks involve phishing emails containing obfuscated JavaScript payloads that exploit the vulnerability when opened in a vulnerable Zimbra session. This campaign, named Operation GhostMail, has already targeted critical infrastructure, including the Ukrainian State Hydrology Agency. Security researchers have noted that Zimbra vulnerabilities have been frequently exploited in recent years, with multiple incidents reported involving state-sponsored actors. Organizations using Zimbra are urged to apply the available patches immediately to mitigate risks.

Key Points: • APT28 is exploiting CVE-2025-66376 in attacks against Ukrainian government entities. • CISA has mandated U.S. federal agencies to secure Zimbra servers by April 1, 2026. • Phishing emails with obfuscated JavaScript payloads are the primary attack vector.

ThreatCluster AI

Timeline

2025-03-12
CVE-2025-27915 published
2026-01-05
CVE-2025-66376 published
2026-01-13
CVE-2026-20963 published
2026-03-04
CVE-2026-20131 published
2026-03-18
CISA adds CVE-2025-66376 to Known Exploited Vulnerabilities list
2026-03-19
APT28 attacks reported targeting Ukrainian government via Zimbra

Community

Browse all →