Oct 06, 2025Ravie LakshmananEmail Safety / Zero-Day
A now patched safety vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this 12 months in cyber assaults focusing on the Brazilian navy.
Tracked as CVE-2025-27915 (CVSS rating: 5.4), the vulnerability is a saved cross-site scripting (XSS) vulnerability within the Basic Net Consumer that arises because of inadequate sanitization of HTML content material in ICS calendar recordsdata, leading to arbitrary code execution.
“When a person views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes through an ontoggle occasion inside a tag,” in response to an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD).
“This enables an attacker to run arbitrary JavaScript inside the sufferer’s session, probably resulting in unauthorized actions comparable to setting e-mail filters to redirect messages to an attacker-controlled tackle. Consequently, an attacker can carry out unauthorized actions on the sufferer’s account, together with e-mail redirection and knowledge exfiltration.”
The vulnerability was addressed by Zimbra as a part of variations 9.0.0 Patch 44, 10.0.13, and 10.1.5 launched on January 27, 2025. The advisory, nonetheless, makes no point out of it having been exploited in real-world assaults.
Nevertheless, in response to a report printed by StrikeReady Labs on September 30, 2025, the noticed in-the-wild exercise concerned unknown risk actors spoofing the Libyan Navy’s Workplace of Protocol to focus on the Brazilian navy utilizing malicious ICS recordsdata that exploited the flaw.
The ICS file contained a JavaScript code that is designed to behave as a complete knowledge stealer to siphon credentials, emails, contacts, and shared folders to an exterior server (“ffrk[.]web”). It additionally searches for emails in a selected folder, and provides malicious Zimbra electronic mail filter guidelines with the identify “Correo” to ahead the messages to [email protected].
As a technique to keep away from detection, the script is customary such that it hides sure person interface parts and detonates provided that greater than three days have handed for the reason that final time it was executed.
It is presently not clear who’s behind the assault, however earlier this 12 months, ESET revealed that the Russian risk actor often known as APT28 had exploited XSS vulnerabilities in varied webmail options from Roundcube, Horde, MDaemon, and Zimbra to acquire unauthorized entry.
An analogous modus operandi has additionally been adopted by different hacking teams like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.
