Zimbra Collaboration Suite XSS flaw (CVE-2025-27915)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-27915 was exploited as a zero-day in Zimbra Collaboration Suite (ZCS 9.0, 10.0, and 10.1), exposing users to JavaScript execution inside authenticated webmail sessions. The flaw came from insufficient sanitization of HTML content in ICS calendar files, which let attackers weaponize .ICS attachments as an execution vector. Zimbra later released ZCS 9.0.0 P44, 10.0.13, and 10.1.5 on January 27, 2025, after attacks had already started in early January.
Cases
Related Happenings
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
CISA adds two Roundcube flaws to KEV catalog
Public Sector Action
First: 21.02.2026 09:21
Last: 21.02.2026 09:21
Sources 1
About this happening:
**CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...
CISA adds two Roundcube flaws to KEV catalog
Public Sector ActionAbout this happening: **CISA** added **two Roundcube webmail flaws** to the **KEV catalog** after citing **active exploitation**, increasing urgency for federal remediation. **CVE-2025-49113** is a **C...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation Wave
First: 18.02.2026 08:52
Last: 18.02.2026 08:52
Sources 1
About this happening:
**CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation WaveAbout this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/Mitigation
First: 06.02.2026 19:16
Last: 06.02.2026 19:16
Sources 1
About this happening:
**SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA SmarterMail remediation guidance for CVE-2026-24423
Advisory/MitigationAbout this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
05.10.2025 17:45 1 articles · 7mo ago
Zimbra releases fixes for CVE-2025-27915
Mitigation Patch UpdateZimbra released ZCS 9.0.0 P44, 10.0.13, and 10.1.5 on January 27, 2025 to address CVE-2025-27915, a cross-site scripting flaw in Zimbra Collaboration Suite caused by insufficient sanitization of HTML content in ICS files that allowed arbitrary JavaScript execution inside Zimbra Webmail sessions.
Show sources
- Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45
-
05.10.2025 17:45 4 articles · 7mo ago
StrikeReady identifies Zimbra zero-day exploitation through ICS attachments
Initial DisclosureStrikeReady identified zero-day exploitation of CVE-2025-27915 in Zimbra Collaboration Suite (ZCS 9.0, 10.0, and 10.1) through .ICS/iCalendar email attachments that delivered Base64-obfuscated JavaScript; the campaign spoofed the Libyan Navy’s Office of Protocol, targeted a Brazilian military organization, and sought to steal Zimbra Webmail credentials, emails, contacts, and shared folders while adding forwarding filters.
Show sources
- Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45
- Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45
- Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files — thehackernews.com — 06.10.2025 09:01
- Cyberattackers Exploit Zimbra Zero-Day Via ICS — www.darkreading.com — 06.10.2025 23:12