Full Report
A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files,
Analysis Summary
# Vulnerability: Stored XSS in Zimbra via Malicious ICS Calendar Files
## CVE Details
- CVE ID: CVE-2025-27915
- CVSS Score: 5.4 (Medium)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
## Affected Systems
- Products: Zimbra Collaboration (ZCS)
- Versions: Versions prior to 9.0.0 Patch 44, 10.0.13, and 10.1.5.
- Configurations: Any configuration where users process email containing crafted ICS calendar entries within the Classic Web Client.
## Vulnerability Description
This is a stored Cross-Site Scripting (XSS) vulnerability residing in the Classic Web Client of Zimbra Collaboration. It occurs due to insufficient sanitization of HTML content embedded within ICS (iCalendar) calendar files. When a user opens an email containing a malicious ICS entry, the embedded JavaScript executes via an `ontoggle` event within a tag. This allows an attacker to run arbitrary JavaScript within the context of the victim's authenticated session.
## Exploitation
- Status: Exploited in the wild (Reported targeting the Brazilian military using ICS files disguised as official communications, spoofing the Libyan Navy's Office of Protocol).
- Complexity: Implied Low/Medium (Requires user interaction to view the malicious email).
- Attack Vector: Network (Delivered via email).
## Impact
- Confidentiality: High (Allows for credential theft, email exfiltration, and reading contents).
- Integrity: High (Allows attackers to set unauthorized email filters for redirection and perform unauthorized actions on the victim's account).
- Availability: Low/Medium (Potential for session disruption, though primary goal seems to be espionage/data theft).
## Remediation
### Patches
The following versions include fixes for this vulnerability:
* Zimbra Collaboration Suite (ZCS) **9.0.0 Patch 44**
* Zimbra Collaboration Suite (ZCS) **10.0.13**
* Zimbra Collaboration Suite (ZCS) **10.1.5**
### Workarounds
The article does not explicitly list vendor-provided workarounds, but given the nature of the flaw (ICS sanitization), users who cannot immediately patch should consider disabling or restricting the automatic rendering/parsing of potentially dangerous calendar file types within the email client until patched.
## Detection
- **Indicators of Compromise (IOCs):** The reported in-the-wild exploit included logic to exfiltrate data to an external server (`ffrk[.]net`) and set up forwarding filter rules named "Correo" to an address like `[email protected]`. Monitor for these indicators.
- **Detection Methods and Tools:** Monitor mail server logs and application traffic for unusual POST requests or sessions indicating data exfiltration following interaction with emailed ICS files. Look for the creation of new, unexpected email filter rules on user accounts.
## References
- Vendor Advisory (Implicitly covered by release notes): hxxps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes
- Vendor Advisory (Implicitly covered by release notes): hxxps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes
- Vendor Advisory (Implicitly covered by release notes): hxxps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes
- NVD Details: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-27915
- In-the-Wild Report: hxxps://strikeready.com/blog/0day-ics-attack-in-the-wild/