A newly discovered zero-day vulnerability in Zimbra’s Collaboration Suite (ZCS) was recently exploited in targeted attacks. The attacks, which began in early January, leveraged a flaw in how the software processes iCalendar (.ICS) files, a common format for sharing calendar and scheduling information. By embedding a malicious JavaScript payload within a seemingly benign calendar attachment, attackers were able to execute code within a victim’s webmail session.
This cross-site scripting (XSS) vulnerability, tracked as CVE-2025-27915, existed due to insufficient sanitization of HTML content within these .ICS files. It allowed attackers to perform a range of malicious actions, including stealing user credentials, emails, and contacts, as well as setting up mail filters to forward new messages to an attacker-controlled address. Although Zimbra released patches on January 27, it did not acknowledge any active exploitation at the time.
However, security researchers at StrikeReady were able to uncover the attacks by specifically monitoring for .ICS files larger than 10KB that contained JavaScript code. They discovered that a threat actor had spoofed a Libyan Navy email to deliver the exploit to a Brazilian military organization. The malicious file was just over 10KB and used obfuscated JavaScript code to avoid detection. The payload was designed to execute asynchronously and perform various actions, like creating hidden login fields to steal credentials and using the Zimbra SOAP API to retrieve emails.
The researchers’ analysis revealed that the malicious code was highly sophisticated, incorporating a number of tactics to ensure a stealthy and persistent presence. It had the ability to monitor user activity, exfiltrate contacts and shared folders, and even hide certain user interface elements to avoid detection. The code also included a 60-second delay before execution and an execution gate that prevented it from running again for three days, further aiding its evasion efforts.
While StrikeReady couldn’t definitively attribute the attack to a specific group, they noted that the exploit of a zero-day vulnerability suggests the involvement of a highly skilled threat actor. They also pointed out that some of the tactics, techniques, and procedures (TTPs) observed in the attack were similar to those used by UNC1151, a group reportedly linked to the Belarusian government. Following the discovery, Zimbra acknowledged the issue and advised users to update their software, review mail filters for unauthorized changes, and monitor for suspicious network activity.
Reference:
