Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
CVE-2025-27915 was used earlier this year to target the Brazilian military in a data theft attempt.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has listed one new vulnerability in its listing of known exploited vulnerabilities, a pleasant change from recent additions of five at a time.
The new vulnerability, CVE-2025-27915, is a cross-site scripting (XSS) vulnerability in the classic web client of the Zimbra Collaboration Suite, thanks to insufficient sanitisation of HTML content in ICS files.
“When a user views an email message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag,” the CVE listing said.
“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorised actions such as setting email filters to redirect messages to an attacker-controlled address.”
This can lead to an attacker redirecting emails from a specific account or exfiltrating data directly.
Zimbra actually addressed this vulnerability back in June this year, when a trio of patches were released; however, it appears at least one threat actor was taking advantage of this vulnerability as early as April 2025.
“Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military,” cyber security firm StrikeReady said in a 30 September blog post.
“This leveraged a malicious .ICS file, a popular calendar format.”
The .ICS file in question contained a JavaScript payload that StrikeReady called a “comprehensive data stealer targeting Zimbra Webmail”, which was designed to exfiltrate data such as credentials, emails, and contacts; evade detection; and monitor the activity of the targeted user.
“The exploitation of Zimbra, Roundcube, and similar open-source collaboration tools, directly over email, is rare,” StrikeReady said.
“Although actors do compromise the servers in broad campaigns, and attackers frequently leverage these tools as lures, actually exploiting a vulnerability in them with an email attachment is a thread worth pulling on.”
If you use Zimbra Collaboration Suite, patching immediately, if you haven’t already done so, is also well worth doing.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
