Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Hackers Exploit Zimbra Zero Day Flaw

October 6, 2025
Reading Time: 3 mins read
in Alerts
CISA Adds New Flaws to KEV Catalog

A newly discovered zero-day vulnerability in Zimbra’s Collaboration Suite (ZCS) was recently exploited in targeted attacks. The attacks, which began in early January, leveraged a flaw in how the software processes iCalendar (.ICS) files, a common format for sharing calendar and scheduling information. By embedding a malicious JavaScript payload within a seemingly benign calendar attachment, attackers were able to execute code within a victim’s webmail session.

This cross-site scripting (XSS) vulnerability, tracked as CVE-2025-27915, existed due to insufficient sanitization of HTML content within these .ICS files. It allowed attackers to perform a range of malicious actions, including stealing user credentials, emails, and contacts, as well as setting up mail filters to forward new messages to an attacker-controlled address. Although Zimbra released patches on January 27, it did not acknowledge any active exploitation at the time.

However, security researchers at StrikeReady were able to uncover the attacks by specifically monitoring for .ICS files larger than 10KB that contained JavaScript code. They discovered that a threat actor had spoofed a Libyan Navy email to deliver the exploit to a Brazilian military organization. The malicious file was just over 10KB and used obfuscated JavaScript code to avoid detection. The payload was designed to execute asynchronously and perform various actions, like creating hidden login fields to steal credentials and using the Zimbra SOAP API to retrieve emails.

The researchers’ analysis revealed that the malicious code was highly sophisticated, incorporating a number of tactics to ensure a stealthy and persistent presence. It had the ability to monitor user activity, exfiltrate contacts and shared folders, and even hide certain user interface elements to avoid detection. The code also included a 60-second delay before execution and an execution gate that prevented it from running again for three days, further aiding its evasion efforts.

While StrikeReady couldn’t definitively attribute the attack to a specific group, they noted that the exploit of a zero-day vulnerability suggests the involvement of a highly skilled threat actor. They also pointed out that some of the tactics, techniques, and procedures (TTPs) observed in the attack were similar to those used by UNC1151, a group reportedly linked to the Belarusian government. Following the discovery, Zimbra acknowledged the issue and advised users to update their software, review mail filters for unauthorized changes, and monitor for suspicious network activity.

Reference:

  • Hackers Exploit Zimbra Zero Day via Malicious iCalendar Files
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityOctober 2025
ADVERTISEMENT

Related Posts

CISA Adds New Flaws to KEV Catalog

Oracle Issues Security Alert

October 6, 2025
CISA Adds New Flaws to KEV Catalog

CISA Adds New Flaws to KEV Catalog

October 6, 2025
Facebook Scams Target Seniors With Malware

Android Spyware Poses As Signal And Totok

October 3, 2025
Facebook Scams Target Seniors With Malware

Facebook Scams Target Seniors With Malware

October 3, 2025
Facebook Scams Target Seniors With Malware

Chrome Update Fixes 21 Security Flaws

October 3, 2025
Smishing targets routers in Belgium 2025

Smishing targets routers in Belgium 2025

October 2, 2025

Latest Alerts

Oracle Issues Security Alert

Hackers Exploit Zimbra Zero Day Flaw

CISA Adds New Flaws to KEV Catalog

Facebook Scams Target Seniors With Malware

Android Spyware Poses As Signal And Totok

Chrome Update Fixes 21 Security Flaws

Subscribe to our newsletter

    Latest Incidents

    Discord Reveals Data Breach Incident

    Abracadabra Hit by Third DeFi Hack

    Extortion Group Launches Salesforce Data Leak

    Hackers Target Oracle Apps For Extortion

    UK Renault Dacia Customer Data Stolen

    Hospital Cyberattack Leaks Patient Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial