Zimbra Zero-Day Exploited via Malicious ICS Files Targeting Brazilian Military
A critical security vulnerability in Zimbra Collaboration Suite, tracked as CVE-2025-27915, was exploited as a zero-day in targeted cyberattacks against the Brazilian military. The flaw, a stored cross-site scripting (XSS) vulnerability in the Classic Web Client, resulted from insufficient sanitization of HTML content in ICS (iCalendar) calendar files. Attackers leveraged this vulnerability by sending malicious ICS files embedded with JavaScript code, which executed when a user viewed an email containing the crafted calendar entry. The JavaScript payload enabled arbitrary code execution within the victim's session, allowing attackers to perform unauthorized actions such as setting email filters to redirect messages to attacker-controlled addresses. This facilitated data exfiltration, including the theft of credentials, emails, contacts, and shared folders from compromised Zimbra accounts. The malicious campaign involved threat actors spoofing the Libyan Navy's Office of Protocol to deliver the exploit to Brazilian military targets. The ICS files used in the attack were notably large and contained obfuscated JavaScript, often encoded in Base64 to evade detection. The payload was designed to operate asynchronously and utilized Immediately Invoked Function Expressions (IIFEs) for execution. Researchers at StrikeReady Labs discovered the attack by monitoring for unusually large ICS attachments containing JavaScript. The campaign began at the start of January 2025, prior to Zimbra releasing patches for the vulnerability. Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025, but did not initially disclose that the vulnerability had been exploited in the wild. The attack also included mechanisms to hide certain user interface elements, further reducing the likelihood of detection by end users. The malicious script searched for emails in specific folders and added filter rules named "Correo" to forward messages to a ProtonMail address controlled by the attackers. The exfiltrated data was sent to an external server, ffrk[.]net, under the attackers' control. The exploitation of this vulnerability highlights the risks associated with insufficient input sanitization in webmail platforms and the effectiveness of social engineering tactics, such as spoofing trusted entities. The incident underscores the importance of timely patching and monitoring for anomalous file attachments in email systems. Security researchers recommend organizations using Zimbra Collaboration Suite apply the latest patches and review email filtering rules for signs of compromise. The attack demonstrates the evolving sophistication of threat actors in leveraging zero-day vulnerabilities for targeted espionage campaigns against high-value organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-27915 to the KEV catalog
CISA added Synacor Zimbra Collaboration Suite flaw CVE-2025-27915 to its Known Exploited Vulnerabilities catalog, formally recognizing active exploitation. The agency required Federal Civilian Executive Branch agencies to remediate the issue by October 28, 2025 under BOD 22-01.
StrikeReady discloses zero-day exploitation details
StrikeReady publicly reported that CVE-2025-27915 had been exploited as a zero-day through malicious .ICS calendar files in attacks against Zimbra users. The researchers described the JavaScript payload, exfiltration to attacker infrastructure including ffrk.net, mailbox enumeration via the Zimbra SOAP API, persistence through forwarding rules, and evasion techniques, while stopping short of firm attribution.
Zimbra patches CVE-2025-27915
Zimbra released a fix for the stored XSS vulnerability CVE-2025-27915 in 2025, after it had already been exploited in the wild. Reports indicate the issue was patched in January 2025, with some coverage specifically citing inclusion in ZCS 10.1.9 released in June 2025.
Brazilian military targeted with malicious Zimbra ICS emails
Earlier in 2025, an unknown threat actor spoofing the Libyan Navy’s Office of Protocol sent weaponized iCalendar (.ICS) emails to target Brazil’s military. Opening the calendar content in Zimbra triggered a then-zero-day stored XSS flaw that enabled theft of credentials, emails, contacts, and other mailbox data, and in some cases creation of malicious mail-forwarding rules.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Actively Exploited Zero-Day XSS Flaw in Zimbra Collaboration Suite
thecyberexpress.com
Open sourceCISA Adds Zimbra XSS Flaw to KEV After Active Exploitation
thecyberthrone.in
Open sourceZimbra XSS Zero-Day (CVE-2025-27915) Actively Exploited; CISA Adds to KEV Catalog
securityonline.info
Open sourceAttackers exploit XXS flaw in Zimbra Collaboration Suite
scworld.com
Open sourceU.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceZimbra users targeted in zero-day exploit using iCalendar attachments
securityaffairs.com
Open sourceCyberattackers Exploit Zimbra Zero-Day Via ICS
darkreading.com
Open sourceZimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files
thehackernews.com
Open sourceHackers exploited Zimbra flaw as zero-day using iCalendar files
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026
Zimbra Webmail Classic UI Local File Inclusion Vulnerability
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of *Zimbra Collaboration Suite* (ZCS) versions 10.0 and 10.1. The flaw, tracked as `CVE-2025-68645`, arises from improper handling of user-supplied request parameters in the `RestFilter` servlet, allowing unauthenticated remote attackers to craft requests to the `/h/rest` endpoint and include arbitrary files from the WebRoot directory. This vulnerability exposes internal files to attackers, potentially leading to the disclosure of sensitive information and further compromise of affected Zimbra installations. Security researchers have highlighted the risk that this LFI vulnerability poses, as it can be exploited without authentication and may serve as a stepping stone for more advanced attacks. Organizations using Zimbra Collaboration Suite are urged to review their deployments and apply any available patches or mitigations to prevent exploitation. The vulnerability has been assigned a CVSS 3.1 score of 8.8, reflecting its high impact and ease of exploitation.
Mar 21, 2026
CISA Adds Actively Exploited Zimbra XSS Flaw to KEV Catalog
**CISA** added **CVE-2025-66376** to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation of a **stored cross-site scripting (XSS)** flaw in **Synacor Zimbra Collaboration Suite (ZCS)**. The vulnerability affects the *Classic UI* and allows remote unauthenticated attackers to abuse CSS `@import` directives embedded in email HTML, creating a path to execute malicious JavaScript in a victim's browser session. The KEV entry describes the issue as a **CWE-79** XSS vulnerability and directs organizations to apply vendor mitigations, follow **BOD 22-01** guidance for cloud services, or discontinue use if mitigations are unavailable. CISA ordered **Federal Civilian Executive Branch (FCEB)** agencies to remediate the flaw by **April 1**, while also urging private-sector organizations to patch quickly because the bug is being exploited in the wild. Reporting on the KEV addition notes that the flaw was patched by Zimbra earlier and could enable session hijacking and theft of sensitive data within affected Zimbra environments through malicious HTML email content. The same KEV update also included other unrelated vulnerabilities, but the Zimbra entry is the relevant event tied to the active exploitation warning and federal patching directive.
Mar 21, 2026