CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Zimbra Collaboration Server (ZCS) versions 10.0 before 10.0.18 and 10.1 before 10.1.13. The vulnerability is rooted in the Classic UI's inadequate sanitization of CSS @import directives embedded within HTML email messages. When a maliciously crafted email containing such directives is received and rendered in the Classic UI, the embedded CSS can trigger script execution in the user's browser context. This occurs because the input is not properly neutralized during web page generation, allowing an attacker to inject and execute arbitrary JavaScript code. The CVSS v3.1 base score is 7.2, reflecting a high severity with the attack vector being network-based (AV:N), requiring no privileges (PR:N) and no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, and it impacts confidentiality and integrity (C:L/I:L) but not availability (A:N). Exploitation could lead to theft of session tokens, unauthorized actions on behalf of the user, or further compromise of the affected system. Although no known exploits are reported in the wild, the ease of exploitation and the broad attack surface of email clients make this a critical concern for organizations relying on Zimbra Collaboration. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The vulnerability allows attackers to execute arbitrary scripts in the context of users viewing malicious emails in the Classic UI of affected Zimbra Collaboration versions. This can lead to unauthorized disclosure of sensitive information such as session cookies, credentials, or internal data accessible via the user's browser session. Attackers could also perform actions on behalf of the user, potentially leading to account compromise or lateral movement within an organization’s network. Since the attack vector is network-based and requires no authentication or user interaction, the risk of widespread exploitation is significant. The integrity of user data and communications is at risk, and confidentiality breaches could expose sensitive organizational information. While availability is not directly impacted, the indirect consequences of compromised accounts or data leaks could disrupt business operations and erode trust in the affected systems.

Organizations should urgently upgrade Zimbra Collaboration Server to versions 10.0.18 or later and 10.1.13 or later once patches are released. Until patches are available, administrators should consider disabling the Classic UI or restricting access to it, as the vulnerability specifically affects this interface. Implementing email filtering to block or quarantine suspicious emails containing CSS @import directives or unusual HTML content can reduce exposure. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the webmail interface. Regularly audit and monitor logs for unusual activity indicative of XSS exploitation attempts. Educate users to be cautious when opening emails from unknown or untrusted sources. Additionally, consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Zimbra Collaboration. Finally, maintain a robust incident response plan to quickly address any suspected compromise resulting from this vulnerability.