Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Zimbra users targeted in zero-day exploit using iCalendar attachments

Threat actors exploited a Zimbra zero-day via malicious iCalendar (.ICS) files used to deliver attacks through calendar attachments. StrikeReady researchers discovered that threat actors exploited the vulnerability CVE-2025-27915 in Zimbra Collaboration Suite in zero-day attacks using malicious iCalendar (.ICS) files. These files, used to share calendar data, were weaponized to deliver JavaScript payloads to targeted […]

CISA Zimbra zero-day attacks

Threat actors exploited a Zimbra zero-day via malicious iCalendar (.ICS) files used to deliver attacks through calendar attachments.

StrikeReady researchers discovered that threat actors exploited the vulnerability CVE-2025-27915 in Zimbra Collaboration Suite in zero-day attacks using malicious iCalendar (.ICS) files. These files, used to share calendar data, were weaponized to deliver JavaScript payloads to targeted systems earlier this year.

CVE-2025-27915 is a stored XSS flaw in Zimbra Collaboration Suite (versions 9.0–10.1) caused by improper HTML sanitization in ICS files. When victims open an email with a malicious ICS entry, JavaScript executes via an <ontoggle> event, allowing attackers to hijack sessions, set email redirects, and exfiltrate data.

“Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format.” reads the report published by StrikeReady.

The researchers discovered the attacks while analyzing ICS files larger than 10 KB that contained embedded obfuscated JavaScript.

The malicious script targets Zimbra Webmail, stealing credentials, emails, contacts, and shared folders. It exfiltrates data to ffrk.net and uses multiple evasion techniques; the malicious code delays its execution by 60 seconds, limits activity to three days, hides UI clues, and logs out inactive users to steal data. The researchers also discovered that the script runs asynchronously using multiple Invoked Function Expressions (IIFEs) functions.

Below are the functions supported by the malware:

  • Injects concealed form fields to capture usernames and passwords without visible UI indicators.
  • Exfiltrates credentials entered into authentication forms.
  • Tracks input activity (mouse/keyboard) and, if the user goes idle, terminates the session to enable data theft.
  • Queries the Zimbra SOAP API to enumerate folders and pull email messages.
  • Periodically (every ~4 hours) uploads captured email content to the attacker’s server.
  • Installs a mail-forwarding rule titled “Correo” that redirects messages to a ProtonMail address.
  • Gathers authentication artifacts and backup tokens and sends them to the attacker.
  • Extracts address books, distribution lists and items from shared folders.
  • Delays its payload by 60 seconds after injection to evade quick detection.
  • Restricts full activity to a three-day operational window before requiring a cooldown period.
  • Obscures or removes interface elements to minimize visual signs of compromise.
  • Operates asynchronously in multiple self-contained code blocks to fragment execution and complicate analysis.

StrikeReady couldn’t attribute the attack to a specific group, but pointed out that only a few well-resourced actors have the capabilities to carry out zero-day attacks. The researchers observed TTPs similar to those tied to the Belarusian APT group UNC1151.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra zero-day)