Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation
Detects exploitation attempts targeting CVE-2025-66376, a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This KEV-listed vulnerability allows attackers to inject malicious scripts into the Zimbra web interface, potentially leading to session hijacking, credential theft, or further compromise of email infrastructure. Active exploitation has been confirmed by CISA.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Synacor
- Product
- Zimbra Collaboration Suite (ZCS)
Weakness (CWE)
Timeline
- Disclosed
- March 18, 2026
References & Proof of Concept
CVSS
What is CVE-2025-66376 Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation?
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation (CVE-2025-66376) maps to the Initial Access and Credential Access and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, Azure WAF Logs, Nginx Access Logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(7d)
| where (RequestURL contains "/zimbra/" or csUriStem contains "/zimbra/" or RequestURL contains "/service/home/" or csUriStem contains "/service/home/")
| where (
RequestURL matches regex @"(?i)(<script|javascript:|onerror=|onload=|onmouseover=|onfocus=|<img[^>]+src=|<svg[^>]+onload=|<iframe|<body[^>]+on\w+=|eval\(|document\.cookie|window\.location)"
or csUriStem matches regex @"(?i)(<script|javascript:|onerror=|onload=|onmouseover=|onfocus=|<img[^>]+src=|<svg[^>]+onload=|<iframe|<body[^>]+on\w+=|eval\(|document\.cookie|window\.location)"
or RequestBody matches regex @"(?i)(<script|javascript:|onerror=|onload=|eval\(|document\.cookie)"
)
| extend SourceIP = coalesce(SourceIP, cIP)
| extend RequestPath = coalesce(RequestURL, csUriStem)
| project TimeGenerated, SourceIP, RequestPath, RequestMethod = coalesce(RequestMethod, csMethod), ResponseCode = coalesce(EventOutcome, scStatus), UserAgent = coalesce(RequestClientApplication, csUserAgent)
| summarize AttemptCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), RequestPaths = make_set(RequestPath, 20) by SourceIP, UserAgent
| where AttemptCount >= 1
| extend RiskScore = case(AttemptCount >= 10, "High", AttemptCount >= 3, "Medium", "Low")
| sort by AttemptCount descDetects HTTP requests to Zimbra web paths containing XSS payloads including script tags, event handlers, and JavaScript URI schemes. Aggregates by source IP and user agent to surface scanning and exploitation patterns.
Data Sources
Required Tables
False Positives
- Security scanners and vulnerability assessment tools probing Zimbra endpoints
- Penetration testing engagements with authorized scope covering mail infrastructure
- HTML content in legitimate email forwarding or preview requests containing encoded angle brackets
- URL encoding in legitimate Zimbra search queries that partially match XSS patterns
Sigma rule & cross-platform mapping
The detection logic for Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation (CVE-2025-66376) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-66376
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Reflected XSS Probe Against Zimbra Login
Expected signal: HTTP request to /zimbra/h/search with '<script>' in query parameter visible in web server access logs and WAF logs. Response code 200 or 302 depending on authentication state.
- Test 2Event Handler XSS Payload via Zimbra Mail Search
Expected signal: HTTP GET request with URL-encoded onerror= payload in query string visible in Zimbra access logs. Source IP and full URI captured in web server logs.
- Test 3SVG-Based XSS Payload Injection via Zimbra SOAP API
Expected signal: HTTP POST to /service/soap/ with SVG onload payload in request body. Body content inspection required — perimeter WAF or SIEM HTTP body logging must be enabled to capture this variant.
- Test 4JavaScript URI Scheme XSS in Zimbra Contact Import
Expected signal: HTTP POST to /service/home/ with multipart form data containing vCard. File upload logged in Zimbra access and mailbox logs. The javascript: URI in vCard URL field tests stored XSS if imported contact is rendered without sanitization.
Unlock Pro Content
Get the full detection package for CVE-2025-66376 including response playbook, investigation guide, and atomic red team tests.