CVE-2025-27915

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1 Zimbra Collaboration Suite (ZCS) versions 9.0.0 Patch 44, 10.0.13 and 10.1.5

Description A stored cross-site scripting (XSS) issue exists in the Classic Web Client of Zimbra Collaboration Suite (ZCS) due to insufficient sanitization of HTML content within ICS (iCalendar) files. When a user views an email containing a malicious ICS entry, the embedded JavaScript code executes through an 'ontoggle' event within a

<details>

tag. This allows an attacker to execute arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions like redirecting emails to an attacker-controlled address and data exfiltration. The vulnerability, tracked as CVE-2025-27915, was actively exploited in attacks targeting a Brazilian military organization, with attackers spoofing the Libyan Navy’s Protocol Office. The malicious ICS files contained Base64-obfuscated JavaScript code designed to steal credentials, emails, and contacts. The exploit leveraged asynchronous payloads and delayed execution to evade detection. The attack involved manipulating email filters and monitoring user activity via the Zimbra SOAP API. It is estimated that the attack could have effects comparable to remote code execution (RCE).

Recommendations Zimbra Collaboration Suite (ZCS) version 9.0.0 Patch 44 should be applied. Zimbra Collaboration Suite (ZCS) version 10.0.13 should be applied. Zimbra Collaboration Suite (ZCS) version 10.1.5 should be applied.