Hackers Exploit Zimbra Vulnerability as 0-Day with Weaponized iCalendar Files

Published 2025-10-06 04:43:36 | cybersecuritynews.com
Zimbra Xss Vulnerability Cybersecurity Data Theft CVE 2025 27915 Products: Zimbra Collaboration Suite (ZCS)

🎙️ Paranoid Newscast

A zero-day vulnerability in the Zimbra Collaboration Suite (ZCS), identified as CVE-2025-27915, has been exploited in targeted attacks using weaponized iCalendar files. This stored cross-site scripting (XSS) flaw allows attackers to steal sensitive data from victims' email accounts.

A zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) was actively exploited in targeted attacks earlier in 2025. The flaw, identified as CVE-2025-27915, is a stored cross-site scripting (XSS) vulnerability that attackers leveraged by sending weaponized iCalendar (.ICS) files to steal sensitive data from victims’ email accounts. The attacks were first identified by StrikeReady, which began monitoring for unusually large iCalendar files that contained JavaScript.

One notable attack targeted Brazil’s military, where an attacker, using an IP address of 193.29.58.37, spoofed the Libyan Navy’s Office of Protocol to deliver the then-unknown exploit. The core of the issue lies within Zimbra’s Classic Web Client, which failed to properly sanitize HTML content within iCalendar files. This allowed threat actors to embed malicious JavaScript inside a .ICS attachment. When a user opened an email containing the malicious calendar entry, the script would execute within the user’s active session.

This XSS vulnerability, often considered less severe than remote code execution (RCE) flaws, proved highly effective. It enabled attackers to run arbitrary code to perform unauthorized actions, including data exfiltration and session hijacking, without the user’s knowledge. Zimbra addressed the vulnerability on January 27, 2025, by releasing patches (versions 9.0.0 P44, 10.0.13, and 10.1.5), though evidence shows the exploit was used before the fix was available.

A Comprehensive Data-Stealing Payload

The JavaScript payload delivered through the exploit is a sophisticated data stealer designed specifically for Zimbra webmail. Its capabilities include:

  • Credential Theft: It creates hidden form fields to capture usernames and passwords from login pages.
  • Data Exfiltration: The script is programmed to steal a wide array of information, including emails, contacts, distribution lists, shared folders, scratch codes, and trusted device information.
  • Email Forwarding: The malware adds a malicious email filter rule named “Correo” to automatically forward the victim’s emails to an external address, [email protected].
  • Evasion Techniques: To avoid detection, the script employs a 60-second delay before execution, limits its execution to once every three days, and hides user interface elements to conceal its activity.

While direct attribution remains unconfirmed, researchers note the tactics are similar to those used by a prolific Russian-linked threat actor and the group UNC1151, which has been linked to the Belarusian government. This incident underscores the significant threat posed by XSS vulnerabilities in enterprise environments and the importance of applying security patches promptly.