Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1826+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Zimbra Urges Customers to Patch Critical Web Client XSS Flaw Exploited in the Wild
Zimbra Urges Customers to Patch Critical Web Client XSS Flaw Exploited in the Wild
NEWS

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw Exploited in the Wild

CVE-2025-27915, a stored XSS vulnerability in Zimbra's Classic Web Client, was exploited as a zero-day before public disclosure. Attackers used malicious ICS calendar files to hijack email sessions and exfiltrate data. CISA has added it to the KEV catalog.

Dylan H.

News Desk

July 10, 2026
3 min read

Zimbra is urging all customers running its Collaboration Suite to apply security patches immediately after a critical stored cross-site scripting (XSS) vulnerability was discovered being actively exploited in targeted attacks. The flaw, tracked as CVE-2025-27915 with a CVSS score of 5.4, allowed attackers to hijack authenticated Zimbra sessions through a cleverly crafted calendar file.

The Vulnerability

The flaw resides in the Zimbra Collaboration Suite (ZCS) Classic Web Client and stems from insufficient sanitization of HTML content embedded in ICS calendar files. Attackers craft malicious .ics entries that deliver JavaScript via an ontoggle event handler inside a <details> HTML tag.

When a targeted user opens the malicious calendar invite through the Classic UI, the embedded script executes within their authenticated session, enabling:

  • Session hijacking — stealing session tokens for persistent access
  • Email filter manipulation — creating silent redirect rules to exfiltrate incoming messages
  • Data exfiltration — access to emails, contacts, shared folders, and credentials stored in the webmail client

Exploited as a Zero-Day

The vulnerability was exploited in the wild before public disclosure, making it a zero-day at time of attack. Threat actors spoofed communications from Libya's Office of Protocol — the official diplomatic protocol office of the Libyan Navy — to target the Brazilian military.

The tactics, techniques, and procedures observed bear similarities to UNC1151, also known as the Ghostwriter APT — a threat group with Belarus state alignment known for information operations and credential theft. Researchers stopped short of definitive attribution.

CISA Response

CISA added CVE-2025-27915 to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to apply patches by April 1, 2026 under Binding Operational Directive 22-01.

Affected Versions and Patches

VersionFix Available In
ZCS 9.0.0Patch 44 or later
ZCS 10.0.xVersion 10.0.13 or later
ZCS 10.1.xVersion 10.1.5 or later

All patches were made available in January 2025 or later. Organizations still running unpatched versions have been exposed for an extended period.

Mitigations

For organizations that cannot immediately patch, Zimbra recommends:

  1. Disable the Classic Web Client and force users to the Modern Web Client, which does not have the same ICS rendering path
  2. Deploy WAF rules to strip suspicious HTML attributes (specifically ontoggle handlers) from ICS attachments before they reach end-users
  3. Monitor for anomalous email filter changes that could indicate session hijacking

Given that Zimbra is widely deployed in government agencies, military organizations, and enterprises globally, organizations should treat this as a high-priority patch regardless of the moderate CVSS score — active exploitation by a likely state-aligned actor significantly elevates real-world risk.

#zimbra#xss#cve-2025-27915#cisa-kev#zero-day#email-security#patch

Related Articles

China and India Ran Separate Spying Campaigns Against the Same Pakistani Police Force

SentinelOne Labs uncovered parallel nation-state espionage operations by China-linked and India-linked threat actors targeting Pakistani law enforcement, compromising biometric data, criminal records, and personnel files.

3 min read

From 17,000 to 1.1 Million Assets: How Lumen Technologies Rebuilt Exposure Management

Lumen Technologies discovered it had 60x more assets than previously known after consolidating 40+ disconnected inventory systems with Axonius. The revelation drove a 10x security investment increase and a cloud migration decision.

3 min read

Microsoft Reins in RoguePlanet Zero-Day After Public PoC Release

Researcher 'Nightmare-Eclipse' published a proof-of-concept exploit for a Windows Defender vulnerability in early June after dropping several other Microsoft zero-days — Microsoft has since contained the RoguePlanet threat with a security update.

4 min read
Back to all News