Cyberattackers Exploit Zimbra Zero-Day Via ICS

Steven

Cyberattackers Exploit Zimbra Zero-Day Via ICS

Summary

An unknown threat actor impersonating the Libyan Navy’s Office of Protocol used a malicious calendar (ICS) attachment to exploit a zero-day XSS vulnerability (CVE-2025-27915) in Zimbra Classic’s web client. The attack targeted the Brazilian military and delivered a multi-function JavaScript payload that stole credentials, emails, contacts and could manipulate mail filters and app-specific passwords — potentially undermining MFA protections. Zimbra released a patch in June (ZCS 10.1.9) after the exploit was observed. Researchers at StrikeReady Labs flagged the campaign as notable because it directly exploited a collaboration tool via an email attachment — a rare but highly effective tactic.

Key Points

  • Vector: Malicious ICS calendar file with embedded JavaScript exploiting an XSS bug in Zimbra Classic (CVE-2025-27915).
  • Target: Brazil’s military, via an email spoofed to appear from the Libyan Navy’s Office of Protocol.
  • Payload capabilities: credential theft, email and contact exfiltration, manipulation of mail filters, and theft of app-specific passwords and trusted-device details.
  • Operational tradecraft: multi-layer obfuscation, delayed execution and limited re-execution to evade detection, and UI hiding to reduce visible signs of compromise.
  • Impact: XSS used to hijack sessions and perform unauthorised actions — demonstrating XSS can be as damaging as RCE in real-world espionage.
  • Mitigation: Zimbra released ZCS 10.1.9 with strengthened input sanitisation; affected organisations should patch immediately and monitor for suspicious ICS attachments and unusual filter changes.

Context and Relevance

This incident highlights a worrying trend: attackers are increasingly finding high-impact ways to exploit “lesser” vulnerabilities in widely used open-source collaboration tools. Rather than compromising servers or using classic phishing, adversaries here weaponised an attachment format that many defences overlook. For organisations using Zimbra or similar webmail/collaboration suites, the event emphasises the need for timely patching, tighter inspection of calendar/ICS content, and monitoring for changes to mail rules and account settings that could indicate account takeover or data siphoning.

Why should I read this?

Quick and dirty: if you run Zimbra (or manage email for an organisation), this is a wake-up call. The attackers used a sneaky calendar file to nick creds, emails and even bypass MFA tricks. Read it so you can patch, hunt for dodgy ICS files in your mail flow, and check whether any mail filters or app passwords have been altered. Saves you time and maybe a breach.

Author note (style)

Punchy take: this isn’t just another vuln story — it’s an example of how attackers squeeze maximum mileage from XSS and oddball vectors. If you care about protecting email and collaboration data, treat this as urgent: patch, inspect, and hunt.

Source

Source: https://www.darkreading.com/cyberattacks-data-breaches/attackers-exploit-zimbra-zero-day-ics