Zimbra has released security updates to address a vulnerability in the Zimbra Collaboration Suite (ZCS), identified as CVE-2025-66376. This vulnerability is a stored cross-site scripting (XSS) flaw affecting the Classic UI of ZCS.

Affected Systems

• Zimbra Collaboration Suite (ZCS): Versions 10.0 prior to 10.0.18 and versions 10.1 prior to 10.1.13

Security Risks

Successful exploitation of this vulnerability allows attackers to inject and execute malicious scripts within the Zimbra webmail interface, potentially resulting in session hijacking, theft of authentication credentials and sensitive email data, unauthorized access to mailboxes and organizational information.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Follow Zimbra's Security Advisories to lower the risk of potential exploits, protect systems, and ensure their security.
• Apply the required and latest security updates as soon as possible.

The released software version to upgrade to, are but are not limited to:

• Zimbra Collaboration Suite: Upgrade to version 10.0.18 or above, or version 10.1.16 or above.

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Zimbra Security Advisories.
• https://www.cve.org
• https://www.zimbra.com/product/download/