Hackers exploited Zimbra flaw as zero-day using iCalendar files

Threat actors exploited CVE-2025-27915, a cross-site scripting (XSS) vulnerability in ZCS 9.0, 10.0, and 10.1, to deliver a JavaScript payload onto target systems. The vulnerability stems from insufficient sanitization of HTML content in ICS files, which allowed attackers to execute arbitrary JavaScript within the victim’s session, like setting filters that redirect messages to them.

However, researchers at StrikeReady, a company that develops an AI-driven security operations and threat management platform, discovered the attack after keeping an eye out for .ICS files that were larger than 10KB and included JavaScript code. They determined that the attacks had started at the beginning of January before Zimbra released the patch. The threat actor spoofed the Libyan Navy’s Office of Protocol in an email that delivered a zero-day exploit that targeted a Brazilian military organization.

According to the researchers’ analysis, the payload is designed to steal data from Zimbra Webmail, like credentials, emails, contacts, and shared folders. StrikeReady says that the malicious code is implemented to execute in asynchronous mode and into various Immediately Invoked Function Expressions (IIFEs).

StrikeReady could not attribute this attack with high confidence to any known threat groups, but noted that there is a small number of attackers that can discover zero-day vulnerabilities in widely used products, mentioning that a Russian-linked group is especially prolific. The researchers also mentioned that similar tactics, techniques, and procedures (TTPs) have been observed in attacks attributed to UNC1151 - a threat group that Mandiant linked to the Belarusian government.

To read the complete article see: Bleeping Computer

Apply for our next conference in Kuala Lumpur on December 9th and 10th, 2025 at Rise Malaysia with the passcode: “6f&%dX” (no quotes).
The call for papers is here: Submit your paper.