Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign Security Patch Release

Zimbra calendar-attachment XSS abuse

Updated 06.10.2025 23:12
Case score 64
Case score 64 Members 3 Latest activity 06.10.2025 23:12
Active exploitation Patch available CVSS: 5.4 Medium
Members 3 First seen 05.10.2025 17:45 Last seen 06.10.2025 23:12 Updated 06.10.2025 23:12

Overview

Malicious **ICS** attachments exploited **CVE-2025-27915** in **Zimbra Collaboration Suite**, and one operation spoofed the **Libyan Navy's Office of Protocol** to reach the **Brazilian military**. The payload ran JavaScript inside authenticated webmail sessions, creating a path to mailbox abuse, credential theft, and message exfiltration. **Zimbra** released **9.0.0 Patch 44**, **10.0.13**, and **10.1.5** on January 27, 2025. Available evidence points to targeted espionage activity before the fix, while the exact scope of affected users and any broader spread remain unknown.

Signals

7 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 5.4 Medium
CVEs/products
CVE
Victims/regions
Sector military Victim region Brazil
Remediation
Remediation Patch available Urgency Normal

Member happenings

3 related
Vulnerability Zimbra Collaboration Suite XSS flaw (CVE-2025-27915)
Updated 05.10.2025 17:45 Lead Contribution 62
Exploitation Active Exploitation Data Type Passwords Data Type Email Addresses CVSS 5.4 Medium +1

**CVE-2025-27915** was exploited as a **zero-day** in **Zimbra Collaboration Suite (ZCS 9.0, 10.0, and 10.1)**, exposing users to **JavaScript execution** inside authenticated webmail sessions. The flaw came from **insufficient sanitization of HTML content in ICS calendar files**, which let attackers weaponize **.ICS attachments** as an execution vector. Zimbra later released **ZCS 9.0.0 P44, 10.0.13, and 10.1.5** on **January 27, 2025**, after attacks had already started in **early January**.

Campaign Libyan Navy Office of Protocol impersonation campaign targeting the Brazilian military via malicious ICS attachments
Updated 06.10.2025 23:12 Scoring Support Contribution 2
Objective Espionage

An **unknown threat actor** impersonating the **Libyan Navy's Office of Protocol** targeted the **Brazilian military** in a **targeted espionage campaign**, using a malicious **ICS email attachment** to deliver an exploit against **Zimbra**. The operation mattered because the attachment triggered **zero-day** exploitation in a collaboration platform rather than a standard phishing lure or server compromise. The delivery chain enabled data theft from user sessions, including **credentials** and mail content, while helping the actor avoid detection. The activity occurred **earlier this year** and was tied to **CVE-2025-27915**.

Security Patch Release Zimbra security patch release for CVE-2025-27915
Updated 06.10.2025 09:01 Context
Exploitation Active Exploitation CVSS 5.4 Medium Urgency Normal Patch Patch Available

**Zimbra Collaboration** released **security fixes** for **CVE-2025-27915**, closing a **stored XSS** flaw in the **Classic Web Client** that could enable session abuse and **data exfiltration**. The patch bundle shipped on **January 27, 2025** in **9.0.0 Patch 44**, **10.0.13**, and **10.1.5**. Later reporting linked the flaw to **zero-day** abuse in attacks that used **malicious ICS files**.