Zimbra Zero-Day Exploited via Malicious ICS Files Targeting Brazilian Military
A critical security vulnerability in Zimbra Collaboration Suite, tracked as CVE-2025-27915, was exploited as a zero-day in targeted cyberattacks against the Brazilian military. The flaw, a stored cross-site scripting (XSS) vulnerability in the Classic Web Client, resulted from insufficient sanitization of HTML content in ICS (iCalendar) calendar files. Attackers leveraged this vulnerability by sending malicious ICS files embedded with JavaScript code, which executed when a user viewed an email containing the crafted calendar entry. The JavaScript payload enabled arbitrary code execution within the victim's session, allowing attackers to perform unauthorized actions such as setting email filters to redirect messages to attacker-controlled addresses. This facilitated data exfiltration, including the theft of credentials, emails, contacts, and shared folders from compromised Zimbra accounts. The malicious campaign involved threat actors spoofing the Libyan Navy's Office of Protocol to deliver the exploit to Brazilian military targets. The ICS files used in the attack were notably large and contained obfuscated JavaScript, often encoded in Base64 to evade detection. The payload was designed to operate asynchronously and utilized Immediately Invoked Function Expressions (IIFEs) for execution. Researchers at StrikeReady Labs discovered the attack by monitoring for unusually large ICS attachments containing JavaScript. The campaign began at the start of January 2025, prior to Zimbra releasing patches for the vulnerability. Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025, but did not initially disclose that the vulnerability had been exploited in the wild. The attack also included mechanisms to hide certain user interface elements, further reducing the likelihood of detection by end users. The malicious script searched for emails in specific folders and added filter rules named "Correo" to forward messages to a ProtonMail address controlled by the attackers. The exfiltrated data was sent to an external server, ffrk[.]net, under the attackers' control. The exploitation of this vulnerability highlights the risks associated with insufficient input sanitization in webmail platforms and the effectiveness of social engineering tactics, such as spoofing trusted entities. The incident underscores the importance of timely patching and monitoring for anomalous file attachments in email systems. Security researchers recommend organizations using Zimbra Collaboration Suite apply the latest patches and review email filtering rules for signs of compromise. The attack demonstrates the evolving sophistication of threat actors in leveraging zero-day vulnerabilities for targeted espionage campaigns against high-value organizations.
Timeline
Oct 7, 2025
CISA adds CVE-2025-27915 to the KEV catalog
CISA added Synacor Zimbra Collaboration Suite flaw CVE-2025-27915 to its Known Exploited Vulnerabilities catalog, formally recognizing active exploitation. The agency required Federal Civilian Executive Branch agencies to remediate the issue by October 28, 2025 under BOD 22-01.
Oct 5, 2025
StrikeReady discloses zero-day exploitation details
StrikeReady publicly reported that CVE-2025-27915 had been exploited as a zero-day through malicious .ICS calendar files in attacks against Zimbra users. The researchers described the JavaScript payload, exfiltration to attacker infrastructure including ffrk.net, mailbox enumeration via the Zimbra SOAP API, persistence through forwarding rules, and evasion techniques, while stopping short of firm attribution.
Jan 1, 2025
Zimbra patches CVE-2025-27915
Zimbra released a fix for the stored XSS vulnerability CVE-2025-27915 in 2025, after it had already been exploited in the wild. Reports indicate the issue was patched in January 2025, with some coverage specifically citing inclusion in ZCS 10.1.9 released in June 2025.
Jan 1, 2025
Brazilian military targeted with malicious Zimbra ICS emails
Earlier in 2025, an unknown threat actor spoofing the Libyan Navy’s Office of Protocol sent weaponized iCalendar (.ICS) emails to target Brazil’s military. Opening the calendar content in Zimbra triggered a then-zero-day stored XSS flaw that enabled theft of credentials, emails, contacts, and other mailbox data, and in some cases creation of malicious mail-forwarding rules.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
4 more from sources like the hacker news, dark reading, securityaffairs and bleeping computer
Related Stories
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
5 days ago
Zimbra Webmail Classic UI Local File Inclusion Vulnerability
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of *Zimbra Collaboration Suite* (ZCS) versions 10.0 and 10.1. The flaw, tracked as `CVE-2025-68645`, arises from improper handling of user-supplied request parameters in the `RestFilter` servlet, allowing unauthenticated remote attackers to craft requests to the `/h/rest` endpoint and include arbitrary files from the WebRoot directory. This vulnerability exposes internal files to attackers, potentially leading to the disclosure of sensitive information and further compromise of affected Zimbra installations. Security researchers have highlighted the risk that this LFI vulnerability poses, as it can be exploited without authentication and may serve as a stepping stone for more advanced attacks. Organizations using Zimbra Collaboration Suite are urged to review their deployments and apply any available patches or mitigations to prevent exploitation. The vulnerability has been assigned a CVSS 3.1 score of 8.8, reflecting its high impact and ease of exploitation.
1 months ago
CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog
**CISA** added **CVE-2025-66376** to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation of a **stored cross-site scripting (XSS)** flaw in **Synacor Zimbra Collaboration Suite (ZCS)**. The vulnerability affects the *Classic UI* and allows remote unauthenticated attackers to abuse CSS `@import` directives embedded in email HTML, creating a path to execute malicious JavaScript in a victim's browser session. The KEV entry describes the issue as a **CWE-79** XSS vulnerability and directs organizations to apply vendor mitigations, follow **BOD 22-01** guidance for cloud services, or discontinue use if mitigations are unavailable. CISA ordered **Federal Civilian Executive Branch (FCEB)** agencies to remediate the flaw by **April 1**, while also urging private-sector organizations to patch quickly because the bug is being exploited in the wild. Reporting on the KEV addition notes that the flaw was patched by Zimbra earlier and could enable session hijacking and theft of sensitive data within affected Zimbra environments through malicious HTML email content. The same KEV update also included other unrelated vulnerabilities, but the Zimbra entry is the relevant event tied to the active exploitation warning and federal patching directive.
1 months ago