Ethical Hacking News
Recently discovered zero-day exploitation targeting Zimbra Collaboration Suite has shed light on the sophistication and stealth of modern cyber threats.
Zero-day vulnerability in Zimbra Collaboration Suite (ZCS) allows arbitrary JavaScript execution within a user's session. Malicious iCalendar file attachments are the primary vector of exploitation, allowing attackers to execute code and steal data. Attackers use obfuscated Base64-encoded JavaScript code to steal credentials, emails, contacts, and shared folders from Zimbra Webmail. The attack executes asynchronously within IIFEs, minimizing user interaction and increasing stealth. A 60-second delay followed by a 3-day execution gate helps evade detection. Researchers suspect a connection to UNC1151 - a threat group linked to the Belarusian government - but cannot attribute the attack with high confidence. Zimbra recommends updating to the latest patch, reviewing mail filters, and monitoring network activity for unusual connections.
The cybersecurity landscape has witnessed numerous sophisticated attacks against prominent email and collaboration platforms in recent times. One such instance of zero-day exploitation has recently come to light, focusing on the Zimbra Collaboration Suite (ZCS). This vulnerability, identified as CVE-2025-27915, stems from insufficient sanitization of HTML content in iCalendar (.ICS) files, rendering it a prime target for threat actors seeking to execute arbitrary JavaScript within a victim's session. In this article, we will delve into the specifics of this attack campaign and explore its implications on organizations utilizing ZCS.
Researchers have detected a persistent pattern of attacks targeting Zimbra Collaboration Suite, leveraging malicious iCalendar file attachments as the primary vector of exploitation. These attacks began at the beginning of January, preceding the release of a patch by Zimbra on January 27. The vulnerability in question allows attackers to execute arbitrary JavaScript within the victim's session, enabling them to set filters that redirect messages to themselves.
A recent report from StrikeReady, a company specializing in AI-driven security operations and threat management, sheds light on the malicious iCalendar files used in these attacks. These files were found to contain obfuscated Base64-encoded JavaScript code. Upon deobfuscation, researchers discovered that the payload is designed to steal data from Zimbra Webmail, including credentials, emails, contacts, and shared folders.
The malicious code executes asynchronously within various Immediately Invoked Function Expressions (IIFEs), allowing it to perform a range of actions without requiring user interaction. These actions include creating hidden username/password fields, stealing credentials from login forms, monitoring user activity, logging out inactive users, utilizing the Zimbra SOAP API to search folders and retrieve emails, sending email content to attackers, adding filters to forward mail to Proton addresses, collecting authentication and backup artifacts for exfiltration, and exfiltrating contacts, distribution lists, and shared folders.
The attack leverages a 60-second delay before execution followed by an enforceable 3-day execution gate. This ensures that the malicious code only runs again if at least three days have passed since its last run, thereby minimizing the likelihood of detection. Furthermore, the attackers employed a technique to hide user interface (UI) elements and reduce visual cues associated with the malicious activity.
Researchers from StrikeReady noted that while they could not attribute this attack to any known threat group with high confidence, they observed similar tactics, techniques, and procedures (TTPs) in attacks attributed to UNC1151 - a threat group linked to the Belarusian government. Additionally, it was mentioned that certain attackers possess knowledge of zero-day vulnerabilities in widely used products, including those found within ZCS.
In response to this incident, BleepingComputer contacted Zimbra with questions regarding the exploitation activity. In their response, the company stated that based on their data, the exploitation does not appear to be widespread. Zimbra nonetheless recommended several security measures for users, such as reviewing existing mail filters for unauthorized changes, ensuring their ZCS installation is updated to the latest patch, and monitoring network activity for unusual or suspicious connections.
In conclusion, this malicious iCalendar file campaign highlights the importance of vigilance in maintaining the security posture of organizations utilizing Zimbra Collaboration Suite. As threat actors continually seek out vulnerabilities to exploit, it is crucial that organizations remain proactive in securing their systems against such attacks.
Recently discovered zero-day exploitation targeting Zimbra Collaboration Suite has shed light on the sophistication and stealth of modern cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Zimbra-Zero-Day-Exploitation-A-Malicious-iCalendar-File-Campaign-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/
Published: Mon Oct 6 10:20:47 2025 by llama3.2 3B Q4_K_M
