A zero-day vulnerability within the Zimbra Collaboration Suite (ZCS) was actively exploited in focused assaults earlier in 2025.
The flaw, recognized as CVE-2025-27915, is a saved cross-site scripting (XSS) vulnerability that attackers leveraged by sending weaponized iCalendar (.ICS) recordsdata to steal delicate information from victims’ electronic mail accounts.
The assaults had been first recognized by StrikeReady, which started monitoring for unusually giant iCalendar recordsdata that contained JavaScript.
One notable assault focused Brazil’s army, the place an attacker, utilizing an IP deal with of 193.29.58.37, spoofed the Libyan Navy’s Workplace of Protocol to ship the then-unknown exploit.
The core of the problem lies inside Zimbra’s Basic Net Shopper, which did not correctly sanitize HTML content material inside iCalendar recordsdata. This allowed risk actors to embed malicious JavaScript inside a .ICS attachment.
When a consumer opened an electronic mail containing the malicious calendar entry, the script would execute inside the consumer’s lively session.
This XSS vulnerability, typically thought-about much less extreme than distant code execution (RCE) flaws, proved extremely efficient.
It enabled attackers to run arbitrary code to carry out unauthorized actions, together with information exfiltration and session hijacking, with out the consumer’s information.
Zimbra addressed the vulnerability on January 27, 2025, by releasing patches (variations 9.0.0 P44, 10.0.13, and 10.1.5), although proof exhibits the exploit was used earlier than the repair was obtainable.
A Complete Information-Stealing Payload
The JavaScript payload delivered by way of the exploit is a complicated information stealer designed particularly for Zimbra webmail. Its capabilities embody:
Credential Theft: It creates hidden type fields to seize usernames and passwords from login pages.
Information Exfiltration: The script is programmed to steal a big selection of data, together with emails, contacts, distribution lists, shared folders, scratch codes, and trusted machine data. The stolen information is distributed to an attacker-controlled server at
Exercise Monitoring: It screens consumer exercise and, if a consumer is inactive, triggers information theft earlier than logging them out.
E mail Forwarding: The malware provides a malicious electronic mail filter rule named “Correo” to mechanically ahead the sufferer’s emails to an exterior deal with, [email protected].
Evasion Strategies: To keep away from detection, the script employs a 60-second delay earlier than execution, limits its execution to as soon as each three days, and hides consumer interface components to hide its exercise.
Whereas direct attribution stays unconfirmed, researchers word the ways are just like these utilized by a prolific Russian-linked risk actor and the group UNC1151, which has been linked to the Belarusian authorities.
This incident underscores the numerous risk posed by XSS vulnerabilities in enterprise environments and the significance of making use of safety patches promptly.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
