You are currently viewing Zimbra Zero-Day Exploitation Vector: Malicious ICS Files Targeting Brazil’s Military

Zimbra Zero-Day Exploitation Vector: Malicious ICS Files Targeting Brazil’s Military

  • Post author:
  • Reading time:4 mins read

The discovery and exploitation of CVE-2025-27915, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS), underscores the persistent threat posed by input sanitization flaws in widely used enterprise software. This now-patched zero-day vulnerability was actively exploited earlier in 2025 in targeted attacks against the Brazilian military, where threat actors weaponized ICS calendar files to execute malicious JavaScript within user sessions.

Vulnerability Details

Stored XSS via ICS Files (CVE-2025-27915)

CVE-2025-27915 is a stored XSS vulnerability affecting the Zimbra Classic Web Client, introduced due to insufficient HTML content sanitization within .ICS calendar file imports. Malicious JavaScript embedded within calendar events could be triggered upon user interaction – particularly by leveraging an ontoggle event in a <details> HTML tag.

This flaw allows attackers to execute arbitrary JavaScript in the context of a victim’s session, potentially enabling unauthorized actions such as modifying mail filters or exfiltrating sensitive data. The NVD has assigned it a CVSS score of 5.4, highlighting its medium severity, though real-world impact can be higher due to its exploitation in active APT campaigns.

Proof of Concept

Attackers crafted .ICS calendar files containing embedded JavaScript payloads. Once these files were viewed through Zimbra’s web interface, the scripts executed automatically, allowing attackers to:

  • Redirect emails to attacker-controlled addresses.
  • Harvest sensitive data, including login credentials, emails, and contacts.
  • Maintain persistent access via session cookies.

One demonstrated PoC used this payload inside a <details ontoggle=...> tag to execute malicious logic silently.

Impact & Exploitation

Real-world exploitation of this vulnerability was reported by StrikeReady Labs, which observed spoofed emails from the Libyan Navy’s Office of Protocol targeting Brazilian military personnel. The attack chain involved delivering malicious .ICS files as email attachments. Once opened, the script acted as a full-spectrum data stealer, exfiltrating:

  • Webmail credentials
  • Email inbox contents
  • Contact lists and calendar data
  • Shared folders and communication metadata

The stolen information was sent to external attacker-controlled infrastructure.

Tactics, Techniques, and Procedures

The threat actors utilized multiple techniques mapped to the MITRE ATT&CK framework:

  • TA0001 – Initial Access
    • T1189 – Drive-by Compromise: Malicious ICS files delivered via phishing emails.
  • TA0002 – Execution
    • T1204 – User Execution: Execution triggered when users interact with calendar files.
  • TA0006 – Credential Access
    • T1539 – Steal Web Session Cookie: Accessing authenticated sessions via stolen cookies.
  • TA0009 – Collection
    • T1119 – Automated Collection: Harvesting credentials, messages, and contact data.
  • TA0010 – Exfiltration
    • T1020 – Automated Exfiltration: Sending stolen data to attacker infrastructure.

Affected Products

  • Zimbra Collaboration Suite (ZCS) versions 9.0 through 10.1

Mitigations

Zimbra addressed the vulnerability on January 27, 2025, in the following patch versions:

  • 9.0.0 Patch 44
  • 10.0.13
  • 10.1.5

Zimbra’s Security Recommendations:

  • Upgrade all ZCS instances to the latest patched versions.
  • Review email filters for unauthorized modifications or forwarding rules.
  • Inspect message stores for .ICS files containing suspicious Base64-encoded scripts.
  • Monitor network traffic for connections to known attacker IPs or unusual domains.

APT Group Attribution

While direct attribution is still under investigation, researchers have observed that the tactics and infrastructure used in these attacks closely resemble those of UNC1151 (also known as Ghostwriter), a sophisticated Belarus-aligned APT group previously linked to phishing, disinformation, and espionage operations in Eastern Europe and Latin America.

The use of forged diplomatic messaging (e.g., spoofing the Libyan Navy) and socially engineered ICS-based lures aligns with UNC1151’s historical modus operandi, though no definitive link has yet been established.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.