Vulnerability Campaign Security Patch Release

Zimbra calendar-attachment XSS abuse

Updated 06.10.2025 23:12

Case score 64

Case score 64 Members 3 Latest activity 06.10.2025 23:12 Active exploitation Patch available CVSS: 5.4 Medium

Active exploitation Patch available CVSS: 5.4 Medium

Members 3 First seen 05.10.2025 17:45 Last seen 06.10.2025 23:12 Updated 06.10.2025 23:12

Overview

Malicious **ICS** attachments exploited **CVE-2025-27915** in **Zimbra Collaboration Suite**, and one operation spoofed the **Libyan Navy's Office of Protocol** to reach the **Brazilian military**. The payload ran JavaScript inside authenticated webmail sessions, creating a path to mailbox abuse, credential theft, and message exfiltration. **Zimbra** released **9.0.0 Patch 44**, **10.0.13**, and **10.1.5** on January 27, 2025. Available evidence points to targeted espionage activity before the fix, while the exact scope of affected users and any broader spread remain unknown.

Key facts

**CVE-2025-27915** was abused through malicious **ICS** mail attachments in **Zimbra Collaboration Suite**.
The flaw is a stored **XSS** in the **Classic Web Client** caused by insufficient HTML sanitization in ICS calendar files.
A spoofed **Libyan Navy's Office of Protocol** campaign targeted the **Brazilian military**.
The payload could steal credentials, mail, contacts, and shared folders, and it could change filters to redirect messages.
**Zimbra** released **9.0.0 Patch 44**, **10.0.13**, and **10.1.5** on **January 27, 2025**.
Available evidence does not quantify affected users or organizations, and broader reach is unconfirmed.

Signals

6 derived

Exploitation

Exploitation Active exploitation CVSS 5.4 Medium

CVEs/products

CVE

Victims/regions

Sector military Victim region Brazil

Remediation

Remediation Patch available

Member happenings

3 related

Vulnerability Zimbra Collaboration Suite XSS flaw (CVE-2025-27915)

Updated 05.10.2025 17:45 Lead Contribution 62

Exploitation Active Exploitation Data Type Passwords Data Type Email Addresses CVSS 5.4 Medium +1

**CVE-2025-27915** was exploited as a **zero-day** in **Zimbra Collaboration Suite (ZCS 9.0, 10.0, and 10.1)**, exposing users to **JavaScript execution** inside authenticated webmail sessions. The flaw came from **insufficient sanitization of HTML content in ICS calendar files**, which let attackers weaponize **.ICS attachments** as an execution vector. Zimbra later released **ZCS 9.0.0 P44, 10.0.13, and 10.1.5** on **January 27, 2025**, after attacks had already started in **early January**.

View happening

Campaign Libyan Navy Office of Protocol impersonation campaign targeting the Brazilian military via malicious ICS attachments

Updated 06.10.2025 23:12 Scoring Support Contribution 2

Objective Espionage

An **unknown threat actor** impersonating the **Libyan Navy's Office of Protocol** targeted the **Brazilian military** in a **targeted espionage campaign**, using a malicious **ICS email attachment** to deliver an exploit against **Zimbra**. The operation mattered because the attachment triggered **zero-day** exploitation in a collaboration platform rather than a standard phishing lure or server compromise. The delivery chain enabled data theft from user sessions, including **credentials** and mail content, while helping the actor avoid detection. The activity occurred **earlier this year** and was tied to **CVE-2025-27915**.

View happening

Security Patch Release Zimbra security patch release for CVE-2025-27915

Updated 06.10.2025 09:01 Context

Exploitation Active Exploitation Urgency Normal CVSS 5.4 Medium Patch Patch Available

**Zimbra Collaboration** released **security fixes** for **CVE-2025-27915**, closing a **stored XSS** flaw in the **Classic Web Client** that could enable session abuse and **data exfiltration**. The patch bundle shipped on **January 27, 2025** in **9.0.0 Patch 44**, **10.0.13**, and **10.1.5**. Later reporting linked the flaw to **zero-day** abuse in attacks that used **malicious ICS files**.

View happening