What is Zimbra Collaboration Suite?
Zimbra Collaboration Suite (ZCS) is an enterprise email, calendar, and collaboration platform used by government agencies, military organisations, and enterprises globally. Its Classic Web Client not only renders HTML email bodies but also processes and displays iCalendar (ICS) files — the standard format for calendar invitations. When an email arrives with an ICS attachment, Zimbra's Classic UI parses the file's content and renders it in the browser. CVE-2025-27915 exploits the fact that the HTML content within ICS event fields is not properly sanitized before rendering — allowing an attacker to embed executable JavaScript inside a calendar invitation.
Overview
CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client of Zimbra Collaboration Suite affecting versions 9.0, 10.0, and 10.1. The Classic Web Client fails to sanitize HTML content embedded in ICS (iCalendar) calendar files when rendering them in the browser. An attacker places a <details> HTML element with an ontoggle JavaScript event handler inside the ICS event description — when the victim views the calendar entry in the Classic UI, the script executes in the context of their authenticated Zimbra session.
Affected Versions
| Status | Zimbra ZCS Version | Fixed In |
|---|---|---|
| Vulnerable | ZCS 9.0 prior to Patch 44 | 9.0.0 Patch 44 |
| Vulnerable | ZCS 10.0 prior to 10.0.13 | 10.0.13 |
| Vulnerable | ZCS 10.1 prior to 10.1.5 | 10.1.5 |
Technical Details
The vulnerability is in the ICS calendar file processing pipeline of the Zimbra Classic Web Client. When Zimbra's Classic UI receives an email containing an ICS attachment, it parses the iCalendar file and renders the event details — including description fields — as HTML in the browser. The description content is not sanitized for dangerous HTML before rendering.
The exploit payload uses an HTML5 <details> element with an ontoggle event handler:
<details open ontoggle="/* attacker JavaScript payload */">
When the browser renders the <details> element with the open attribute and the element transitions to its expanded state (ontoggle fires), the embedded JavaScript executes. This technique bypasses sanitizer rules that focus on <script> tags and common event handler attributes — ontoggle on <details> elements is a less commonly blocked vector.
The JavaScript payload observed in the wild was:
- Embedded in the ICS event description field
- Base64-encoded and obfuscated to evade signature detection
- Over 10KB in size (indicating a fully functional information-stealing payload, not just a proof-of-concept)
Post-exploitation actions observed:
- Creation of email forwarding filter rules with Spanish-language names (e.g., "Correo") to silently redirect all incoming mail to attacker-controlled addresses
- Theft of the victim's webmail session credentials
- Exfiltration of email inbox contents, contact lists, calendar data, and shared folder metadata to external attacker infrastructure
Attack characteristics:
- Authentication required: No on the attacker side — any external sender can deliver the malicious ICS file
- User interaction: Required — victim must open or preview the calendar entry in the Classic Web Client
- Delivery: Email with ICS attachment — identical in appearance to a legitimate calendar invitation
Discovery and Attribution
CVE-2025-27915 was reported by StrikeReady Labs, which discovered the active exploitation campaign against Brazilian military targets. The campaign delivered ICS files via spear-phishing emails originating from 193.29.58.37, with messages spoofing the Libyan Navy's Office of Protocol — a social engineering lure designed to appear as a legitimate international military communication to Brazilian armed forces personnel.
Multiple security researchers noted that the tactics, techniques, and procedures (TTPs) observed in the campaign closely mirror those of UNC1151 (also tracked as Ghostwriter and attributed to Belarusian intelligence services). UNC1151 has a documented history of credential theft via webmail XSS exploitation and of targeting government and military organisations in Eastern Europe and Latin America. The use of Spanish-language filter rule names ("Correo") is consistent with targeting Brazilian (Portuguese-speaking) and broader Latin American targets.
Exploitation Context
CVE-2025-27915 represents an expansion of the Zimbra XSS threat cluster from its traditional European government focus (Greece, Moldova, Tunisia, Ukraine) to Latin American military targets. The Brazilian military maintains Zimbra deployments, and its personnel communicate with international military partners — making ICS calendar invitations from foreign military sources a plausible and low-suspicion delivery vector.
The ICS injection technique — using <details ontoggle> — demonstrates that threat actors actively research and develop new HTML event handler bypasses as sanitizer rules catch previously used vectors. CVE-2025-27915 shares the structural pattern with CVE-2022-24682 (Calendar XSS, 2022), CVE-2024-27443 (calendar header XSS, 2024), and the CSS @import XSS variants (CVE-2025-48700, CVE-2025-66376): different bypass techniques against the same Classic UI HTML rendering pipeline.
Remediation
- Upgrade to ZCS 9.0.0 Patch 44, 10.0.13, or 10.1.5 to apply the fix for CVE-2025-27915.
- Disable or restrict ICS file rendering for external senders if operationally feasible. Organisations that do not require external calendar invitations to be automatically rendered in the browser can configure mail rules to quarantine or strip ICS attachments from untrusted senders.
- Migrate high-value users to the Modern UI (Iris) — all confirmed exploitation of this CVE targeted the Classic Web Client. Modern UI uses a different rendering pipeline and is not affected.
- Hunt for created email filter rules — check Zimbra accounts for unexpected inbox filter rules, particularly those that forward all email to external addresses. Rules with unusual names (especially foreign-language names unexpected for the user's context) are indicators of CVE-2025-27915 exploitation.
- Review inbound ICS files from external senders for
<details>,<summary>, and other less common HTML tags in event description fields — these are indicators of payload delivery. - Consult StrikeReady Labs' indicators of compromise for the IPs and domains associated with the Brazilian military targeting campaign for retrospective hunting.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-27915 |
| Vendor / Product | Synacor — Zimbra Collaboration Suite (ZCS) |
| NVD Published | 2025-03-12 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 5.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CISA KEV Added | 2025-10-07 |
| CISA KEV Deadline | 2025-10-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-01-01 | Active zero-day exploitation begins; spear-phishing campaign delivers malicious ICS files spoofing the Libyan Navy against Brazilian military personnel |
| 2025-01-27 | Zimbra releases fix: ZCS 9.0.0 Patch 44, 10.0.13, and 10.1.5 |
| 2025-03-12 | CVE-2025-27915 published at NVD |
| 2025-10-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-10-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-27915 | Vulnerability Database |
| Zimbra Security Center | Vendor Advisory / Patch |
| SecPod — Zimbra Flaw Exploited to Attack Brazil's Armed Forces Through ICS Attachments | Security Research |
| Hive Pro — Zimbra Zero-Day Hidden in ICS File Targets Military | Security Research |
| Rescana — CVE-2025-27915 Zero-Day Exploited via Malicious ICS Files Against Brazilian Military | Security Research |
| CISA KEV Catalog Entry | US Government |
| CISA BOD 22-01 | Remediation Directive |
| CWE-79 — Cross-site Scripting | Weakness Classification |