Application security, Email security, DevSecOps, Third-party code

Attackers exploit XXS flaw in Zimbra Collaboration Suite

A close-up of a laptop displaying an illuminated email icon with red hazard symbols, signifying security issues.

An apparent attacker earlier this year spoofed the Libyan Navy’s Office of Protocol to send a then-zero day in the Zimbra Collaboration Suite to target Brazil’s military.

In exploiting a cross-site scripting (XSS) flaw in CVE-2025-27915, the attackers leveraged a malicious .ICS file, a popular calendar format.

 Why should anybody in North America care about any of this?

According to a Sept. 30 blog by StrikeReady researchers, it’s rare for attackers to exploit Zimbra and similar open-source collaboration tools such as Roundcube (see link to Eset blog) directly over email.

“Although actors do compromise the servers in broad campaigns, and attackers frequently leverage these tools as lures, actually exploiting a vulnerability in them with an email attachment is a thread worth pulling on,” wrote the StrikeReady researchers.

Heath Renfrow, co-founder and CISO at Fenix24, explained that CVE-2025-27915 exploits the XSS flaw in Zimbra’s Classic Web Client iCalendar (.ICS) invites. Renfrow said attackers embed malicious HTML/JavaScript inside calendar fields, and when a user views the invite, unsanitized content executes in their session.

According to Renfrow, the stored XSS flaw lets attackers read mail, steal contacts and credentials, and silently create mail-forwarding filters to exfiltrate future messages.

“This isn’t a lab proof-of-concept,” said Renfrow. “It was exploited as a zero-day.”

Renfrow offers some advice for how security teams should respond:

  • Patch immediately to Zimbra 9.0.0 P44, 10.0.13, or 10.1.5 — all contain fixes for CVE-2025-27915.
  • Disable the Classic Web Client until fully patched.
  • Strip or quarantine .ics files at the mail gateway temporarily.
  • Reset sessions and credentials for users who opened suspicious invites.
  • Hunt for persistence by reviewing mail filters, forwarding rules, and delegated access.
  • Notify users to be cautious with unexpected calendar invites until remediation is complete.

You can skip this ad in 5 seconds