Zimbra Zero-Day (CVE-2025-27915) Actively Exploited to Steal Credentials via Malicious Calendar Invites

Researchers at StrikeReady uncovered a targeted campaign exploiting a zero-day in the Zimbra Collaboration Suite (ZCS) — a widely used open-source mail platform deployed by numerous governments and enterprises. Tracked as CVE-2025-27915, the flaw is a cross-site scripting (XSS) vulnerability stemming from insufficient HTML sanitization in calendar .ICS files, allowing an attacker to inject malicious JavaScript that executes within a victim’s session.

iCalendar (.ICS) files, commonly exchanged to share events and schedules across applications, were weaponized in this operation: a spear-phishing message masquerading as an official communiqué from the Libyan Navy’s protocol office contained an approximately 100 KB ICS attachment embedding an encrypted JavaScript payload. The script, Base64-encoded, activated when the attachment was opened.

According to StrikeReady, the intrusion targeted a military organization in Brazil and began in early January — well before a patch was issued. Zimbra remedied the vulnerability only on January 27 with updates to ZCS 9.0.0 P44, 10.0.13, and 10.1.5. Notably, the vendor’s advisory did not acknowledge active exploitation, which makes StrikeReady’s discovery especially consequential.

After decoding the JavaScript, analysts found a meticulously crafted theft engine geared to exfiltrate Zimbra Webmail data: credentials, address books, emails, and shared folders. The script leveraged asynchronous routines and IIFEs for stealth and concurrency, creating hidden credential-capture fields, monitoring user activity to force logouts and re-intercept logins, querying the Zimbra SOAP API to enumerate and harvest messages, and exfiltrating stolen content every four hours. It also added a mail filter named “Correo” to forward messages to the attackers’ ProtonMail address.

The payload harvested authentication artifacts and backups, exported contact lists and shared resources, obfuscated UI elements to avoid detection, and incorporated delayed execution (60 seconds) with a persistence gate that limited re-triggering to once every three days. This design enabled the operation to remain covert over extended periods.

While StrikeReady could not definitively attribute the campaign to a specific actor, the sophistication of the exploit suggests a narrow set of adversaries with the resources to discover zero-day flaws. The report also notes technique overlaps with tactics previously associated with UNC1151.

StrikeReady published detailed indicators of compromise and the deobfuscated exploit code, warning that calendar attachments are often trusted and therefore escape conventional detection. The incident starkly demonstrates that apparently innocuous formats can become potent delivery vectors when server-side content validation is inadequate.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy