Cyber Threat Brief — April 22 2026
⚠️ This report is AI-generated. Always validate findings.
1. Zimbra Classic UI Stored XSS — CVE-2025-48700
TL;DR: CISA KEV addition April 20 with April 23 federal deadline (TOMORROW). Stored XSS in Zimbra Classic UI exploited by UAC-0233 against Ukrainian entities since September 2025 — viewing a crafted email triggers JavaScript execution with zero additional interaction, enabling session hijack, 2FA backup code theft, and mailbox exfiltration.
What’s New:
- CISA KEV addition April 20; FCEB remediation deadline April 23
- CERT-UA attributes exploitation to UAC-0233 targeting Ukrainian state entities since September 2025
- Post-exploitation: mailbox contents compiled into TGZ archive, MFA backup codes harvested, application passwords stolen, global address book exfiltrated
- CSS
@importdirective bypass defeats HTML sanitization in Classic UI; crafted tag structures + attribute values inject arbitrary JS - Affects ZCS 8.8.15, 9.0, 10.0, 10.1; patched in ZCS 10.0.18 / 10.1.13 (November 6, 2025)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Emails with CSS @import directives in HTML body | Exploit payload | T1189 | Zimbra /opt/zimbra/log/mailbox.log, mail gateway logs | Hunt — inbound emails containing @import in HTML attributes |
| Session cookie theft via injected JavaScript | Session hijack | T1539 | Zimbra audit log /opt/zimbra/log/audit.log | Hunt — session reuse from different source IPs |
| TGZ archive creation from mailbox contents | Data staging | T1560.001 | Zimbra mailbox.log, filesystem monitoring | Alert — bulk mailbox export operations |
| MFA backup code / app password access | Credential access | T1556 | Zimbra admin audit logs | Hunt — MFA settings access followed by auth from new IP |
| Global address book export | Collection | T1087.003 | Zimbra audit.log | Hunt — GAL export requests from non-admin sessions |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web JSP Request via URL (generic, partial) | No Zimbra Classic UI XSS-specific rule; need CSS @import payload detection in email content |
| Elastic | None | Need: Zimbra audit log session anomaly detection (IP change mid-session) |
| Sigma | None | Need: Zimbra mailbox bulk export and GAL access anomaly rules |
Sources: CISA KEV April 20 · NVD · HackerNews · CyberExpress
Status Updates
- CVE-2023-27351 (PaperCut NG/MF): CISA KEV addition April 20; legacy 2023 auth bypass (CVSS 8.2) resurging in exploitation; Cl0p/LockBit ransomware attribution; federal deadline May 4; confirm patched to NG/MF 22.0.6+. CISA KEV.
- CVE-2024-27199 (JetBrains TeamCity): CISA KEV addition April 20; legacy 2024 path traversal (CVSS 7.3) with active exploitation; enables limited admin actions including HTTPS cert replacement; federal deadline May 4; confirm patched to TeamCity 2023.11.4+. Splunk blog.
- CVE-2026-20127/20122/20128/20133 (Cisco SD-WAN): Federal deadline TOMORROW April 23 for three companion CVEs added April 20; full SD-WAN Manager attack chain documented. Original brief April 5.
- BlueHammer/RedSun/UnDefend (Microsoft Defender): All three ITW per Huntress; no new artifacts since April 20 IOC update. Original brief April 7.
- CVE-2026-4681 (PTC Windchill): Still no patch; German police physical outreach continues. Original brief March 27.