Zimbra Collaboration Suite Zero-Day Exploited via iCalendar Files

Timeline

1. 05.10.2025 17:45 1 articles · 6h ago

   Zero-day in Zimbra Collaboration Suite exploited via iCalendar files

   A zero-day vulnerability in Zimbra Collaboration Suite (ZCS) was exploited using iCalendar files to deliver a JavaScript payload. The flaw, CVE-2025-27915, allowed attackers to execute arbitrary JavaScript within the victim's session. The attacks targeted a Brazilian military organization and were active before the patch was released in January 2025. The payload was designed to steal credentials, emails, contacts, and shared folders from Zimbra Webmail. The threat actor spoofed the Libyan Navy’s Office of Protocol to deliver the exploit. The malicious code used various techniques to evade detection and exfiltrate data. The vulnerability was patched by Zimbra in January 2025, but the exploitation activity was not publicly disclosed until October 2025.

   Show sources

   • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

   Open in new tab

Information Snippets

• The zero-day vulnerability, CVE-2025-27915, affected Zimbra Collaboration Suite versions 9.0, 10.0, and 10.1.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The flaw allowed attackers to execute arbitrary JavaScript within the victim's session by exploiting insufficient sanitization of HTML content in iCalendar files.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The attacks began in early January 2025 and targeted a Brazilian military organization.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The malicious email contained a 00KB iCalendar file with obfuscated JavaScript code designed to steal data from Zimbra Webmail.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The payload could steal credentials, monitor user activity, and exfiltrate emails, contacts, and shared folders.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The malicious code used various techniques to evade detection, including asynchronous execution and immediately invoked function expressions (IIFEs).

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The attack was discovered by StrikeReady, which monitors for larger .ICS files containing JavaScript code.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45

• The threat actor's tactics, techniques, and procedures (TTPs) were similar to those observed in attacks attributed to UNC1151, a threat group linked to the Belarusian government.

  First reported: 05.10.2025 17:45
  1 source, 1 article
  Show sources

  • Hackers exploited Zimbra flaw as zero-day using iCalendar files — www.bleepingcomputer.com — 05.10.2025 17:45