In early 2025, a critical security flaw in Zimbra Collaboration Suite was exploited as a zero-day vulnerability in cyberattacks targeting the Brazilian military. This vulnerability, identified as CVE-2025-27915 with a CVSS score of 5.4, is a stored cross-site scripting (XSS) issue in the Classic Web Client. It arises from inadequate sanitization of HTML content within ICS calendar files, allowing for arbitrary code execution.
When a user views an email containing a malicious ICS entry, the embedded JavaScript executes through an `ontoggle` event inside a `
Zimbra addressed this vulnerability in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025. The advisory did not mention any real-world exploitation at that time.
However, a report published by StrikeReady Labs on September 30, 2025, revealed that unknown threat actors spoofed the Libyan Navy’s Office of Protocol to target the Brazilian military using malicious ICS files exploiting this flaw. The ICS file contained JavaScript code designed as a comprehensive data stealer, siphoning credentials, emails, contacts, and shared folders to an external server (ffrk[.]net). It also searched for emails in a specific folder and added malicious Zimbra email filter rules named Correo to forward messages to [email protected].
To evade detection, the script was crafted to hide certain user interface elements and activate only if more than three days had passed since its last execution.
The identity of the attackers remains unclear. Earlier in 2025, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions, including Roundcube, Horde, MDaemon, and Zimbra, to gain unauthorized access. Similar tactics have been employed by other hacking groups like Winter Vivern and UNC1151 (also known as Ghostwriter) to facilitate credential theft.
