Detect Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation in IBM QRadar
Detects exploitation attempts targeting CVE-2025-66376, a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This KEV-listed vulnerability allows attackers to inject malicious scripts into the Zimbra web interface, potentially leading to session hijacking, credential theft, or further compromise of email infrastructure. Active exploitation has been confirmed by CISA.
MITRE ATT&CK
QRadar Detection Query
SELECT
sourceip AS src_ip,
"URL" AS request_url,
"Method" AS http_method,
"Response Code" AS response_code,
"User Agent" AS user_agent,
LOGSOURCENAME(logsourceid) AS log_source,
COUNT(*) AS attempt_count,
MIN(starttime) AS first_seen,
MAX(starttime) AS last_seen
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Nginx', 'Microsoft IIS', 'F5 BIG-IP')
AND (
"URL" ILIKE '%/zimbra/%'
OR "URL" ILIKE '%/service/home/%'
OR "URL" ILIKE '%/service/soap/%'
)
AND (
"URL" ILIKE '%<script%'
OR "URL" ILIKE '%javascript:%'
OR "URL" ILIKE '%onerror=%'
OR "URL" ILIKE '%onload=%'
OR "URL" ILIKE '%onfocus=%'
OR "URL" ILIKE '%eval(%'
OR "URL" ILIKE '%document.cookie%'
OR "URL" ILIKE '%<svg%onload%'
OR "URL" ILIKE '%<img%onerror%'
)
AND LAST 7 DAYS
GROUP BY sourceip, "URL", "Method", "Response Code", "User Agent"
HAVING attempt_count >= 1
ORDER BY attempt_count DESCQRadar AQL query detecting XSS payload patterns in HTTP requests targeting Zimbra URL paths. Aggregates results by source IP to identify both single exploitation attempts and automated scanning activity.
Data Sources
Required Tables
False Positives & Tuning
- Automated web vulnerability scanners in IT asset discovery programs
- Legitimate HTML content in Zimbra mail preview or forwarding requests
- Security testing tools performing authorized red team assessments
- Misconfigured monitoring agents logging URL content with HTML encoding artifacts
Other platforms for CVE-2025-66376
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Reflected XSS Probe Against Zimbra Login
Expected signal: HTTP request to /zimbra/h/search with '<script>' in query parameter visible in web server access logs and WAF logs. Response code 200 or 302 depending on authentication state.
- Test 2Event Handler XSS Payload via Zimbra Mail Search
Expected signal: HTTP GET request with URL-encoded onerror= payload in query string visible in Zimbra access logs. Source IP and full URI captured in web server logs.
- Test 3SVG-Based XSS Payload Injection via Zimbra SOAP API
Expected signal: HTTP POST to /service/soap/ with SVG onload payload in request body. Body content inspection required — perimeter WAF or SIEM HTTP body logging must be enabled to capture this variant.
- Test 4JavaScript URI Scheme XSS in Zimbra Contact Import
Expected signal: HTTP POST to /service/home/ with multipart form data containing vCard. File upload logged in Zimbra access and mailbox logs. The javascript: URI in vCard URL field tests stored XSS if imported contact is rendered without sanitization.
Unlock Pro Content
Get the full detection package for CVE-2025-66376 including response playbook, investigation guide, and atomic red team tests.