Zimbra is urging all customers running its Collaboration Suite to apply security patches immediately after a critical stored cross-site scripting (XSS) vulnerability was discovered being actively exploited in targeted attacks. The flaw, tracked as CVE-2025-27915 with a CVSS score of 5.4, allowed attackers to hijack authenticated Zimbra sessions through a cleverly crafted calendar file.
The Vulnerability
The flaw resides in the Zimbra Collaboration Suite (ZCS) Classic Web Client and stems from insufficient sanitization of HTML content embedded in ICS calendar files. Attackers craft malicious .ics entries that deliver JavaScript via an ontoggle event handler inside a <details> HTML tag.
When a targeted user opens the malicious calendar invite through the Classic UI, the embedded script executes within their authenticated session, enabling:
- Session hijacking — stealing session tokens for persistent access
- Email filter manipulation — creating silent redirect rules to exfiltrate incoming messages
- Data exfiltration — access to emails, contacts, shared folders, and credentials stored in the webmail client
Exploited as a Zero-Day
The vulnerability was exploited in the wild before public disclosure, making it a zero-day at time of attack. Threat actors spoofed communications from Libya's Office of Protocol — the official diplomatic protocol office of the Libyan Navy — to target the Brazilian military.
The tactics, techniques, and procedures observed bear similarities to UNC1151, also known as the Ghostwriter APT — a threat group with Belarus state alignment known for information operations and credential theft. Researchers stopped short of definitive attribution.
CISA Response
CISA added CVE-2025-27915 to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to apply patches by April 1, 2026 under Binding Operational Directive 22-01.
Affected Versions and Patches
| Version | Fix Available In |
|---|---|
| ZCS 9.0.0 | Patch 44 or later |
| ZCS 10.0.x | Version 10.0.13 or later |
| ZCS 10.1.x | Version 10.1.5 or later |
All patches were made available in January 2025 or later. Organizations still running unpatched versions have been exposed for an extended period.
Mitigations
For organizations that cannot immediately patch, Zimbra recommends:
- Disable the Classic Web Client and force users to the Modern Web Client, which does not have the same ICS rendering path
- Deploy WAF rules to strip suspicious HTML attributes (specifically
ontogglehandlers) from ICS attachments before they reach end-users - Monitor for anomalous email filter changes that could indicate session hijacking
Given that Zimbra is widely deployed in government agencies, military organizations, and enterprises globally, organizations should treat this as a high-priority patch regardless of the moderate CVSS score — active exploitation by a likely state-aligned actor significantly elevates real-world risk.