In early 2025, a critical zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) was actively exploited in targeted cyberattacks. This flaw, designated as CVE-2025-27915, is a stored cross-site scripting (XSS) vulnerability that attackers utilized by sending malicious iCalendar (.ICS) files to extract sensitive data from victims’ email accounts.
Discovery and Initial Attacks
The cybersecurity firm StrikeReady first identified these attacks, noting the presence of unusually large iCalendar files embedded with JavaScript. A particularly notable incident involved an attack on Brazil’s military. In this case, an attacker operating from the IP address 193.29.58.37 impersonated the Libyan Navy’s Office of Protocol to deliver the exploit.
Technical Details of the Vulnerability
The root cause of this vulnerability lies in Zimbra’s Classic Web Client, which failed to adequately sanitize HTML content within iCalendar files. This oversight allowed threat actors to embed malicious JavaScript code inside a `.ICS` attachment. When a user opened an email containing the compromised calendar entry, the script would execute within the user’s active session.
While XSS vulnerabilities are often perceived as less severe than remote code execution (RCE) flaws, this particular exploit proved highly effective. It enabled attackers to execute arbitrary code, perform unauthorized actions, and exfiltrate data without the user’s knowledge.
Zimbra’s Response and Patch Release
Zimbra addressed this vulnerability on January 27, 2025, by releasing patches for versions 9.0.0 P44, 10.0.13, and 10.1.5. However, evidence indicates that the exploit was in use before these fixes became available.
Comprehensive Data-Stealing Payload
The JavaScript payload delivered through this exploit was a sophisticated data stealer specifically designed for Zimbra webmail. Its capabilities included:
– Credential Theft: The script created hidden form fields to capture usernames and passwords from login pages.
– Data Exfiltration: It was programmed to steal a wide array of information, including emails, contacts, distribution lists, shared folders, scratch codes, and trusted device information. The stolen data was then sent to an attacker-controlled server at `https://ffrk.net/apache2_config_default_51_2_1`.
– Activity Monitoring: The script monitored user activity and, if a user was inactive, triggered data theft before logging them out.
– Email Forwarding: The malware added a malicious email filter rule named Correo to automatically forward the victim’s emails to an external address, `[email protected]`.
– Evasion Techniques: To avoid detection, the script employed a 60-second delay before execution, limited its execution to once every three days, and hid user interface elements to conceal its activity.
Potential Attribution
While direct attribution remains unconfirmed, researchers have noted that the tactics used in these attacks are similar to those employed by a prolific Russian-linked threat actor and the group UNC1151, which has been associated with the Belarusian government.
Implications and Recommendations
This incident underscores the significant threat posed by XSS vulnerabilities in enterprise environments. It highlights the importance of promptly applying security patches to mitigate potential exploits.
Organizations using Zimbra Collaboration Suite should ensure that they have applied the latest patches to protect against this vulnerability. Additionally, users should exercise caution when opening calendar invitations or other attachments from unknown or untrusted sources.
Regular security audits and user education on recognizing phishing attempts can further enhance an organization’s defense against such sophisticated attacks.
