Full Report
Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year. [...]
Analysis Summary
# Vulnerability: Cross-Site Scripting (XSS) in Zimbra Collaboration Suite via ICS Files
## CVE Details
- CVE ID: CVE-2025-27915
- CVSS Score: N/A (Severity not explicitly given, but exploitation implies High)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
## Affected Systems
- Products: Zimbra Collaboration Suite (ZCS)
- Versions: ZCS 9.0, 10.0, and 10.1 (Prior to specified patch versions)
- Configurations: Any configuration processing calendar/scheduling information delivered via specially crafted `.ICS` (iCalendar) files.
## Vulnerability Description
The vulnerability is a Cross-Site Scripting (XSS) flaw within Zimbra Collaboration Suite arising from insufficient sanitization of HTML content embedded within attached ICS files. An attacker can craft a malicious ICS file containing arbitrary, obfuscated JavaScript payload. When the victim processes this file (likely by opening or previewing it within the Zimbra web interface), the script executes within the victim's session context.
## Exploitation
- Status: Exploited in the wild (Reported as a zero-day attack at the beginning of January 2025, prior to patch release).
- Complexity: Implied Low/Medium (Leverages file processing mechanism, but requires obfuscation/payload tailoring).
- Attack Vector: Network (Via malicious email attachment).
### Impact
The executed JavaScript payload is designed for extensive data theft and persistence, including:
- Stealing credentials from login forms.
- Monitoring user activity (mouse/keyboard).
- Using the Zimbra SOAP API to search folders and exfiltrate emails, contacts, distribution lists, and shared folders.
- Creating a filter named "Correo" to forward mail to an attacker-controlled Proton address.
- Exfiltrating collected artifacts every 4 hours.
- Hiding UI elements and enforcing execution gates to evade detection.
- Confidentiality: High (Theft of credentials, emails, contacts).
- Integrity: Medium (Ability to alter email filters).
- Availability: Low (Primary goal appears to be theft, not destruction/denial).
## Remediation
### Patches
Zimbra addressed this vulnerability on January 27, 2025, with the following releases:
- ZCS 9.0.0 P44
- ZCS 10.0.13
- ZCS 10.1.5
### Workarounds
No specific temporary workarounds were detailed in the summary, but implied general mitigation steps include:
- Blocking or isolating attachment processing for `.ICS` files from untrusted sources.
- Disabling rendering of external/embedded HTML content within calendar exports until patched.
## Detection
- Indicators of Compromise (IOCs): Attackers used obfuscated JavaScript payloads within ICS files, often using Base64 encoding within the payload structure.
- Detection methods and tools: Security monitoring focusing on outbound traffic destined for external email addresses (like Proton accounts) originating from the Zimbra server or user sessions, especially correlated with the processing of large (`>10KB`) ICS/calendar attachment files containing embedded JavaScript or unusual encoding patterns. Researchers also published IOCs on GitHub.
## References
- Vendor Advisory: zimbra dot com/wiki/Zimbra_Releases/10.1.5#Security_Fixes
- Research Analysis: strikeready dot com/blog/0day-ics-attack-in-the-wild/
- IOCs: github dot com/StrikeReady-Inc/research/tree/main/2025-09-29%20ics%200day
- Related TTP Mention: cloud dot google dot com/blog/topics/threat-intelligence/unc1151-linked-to-belarus-government/