Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military

Summary

In early 2025, an unidentified threat actor impersonating the Libyan Navy’s Office of Protocol launched a sophisticated cyberattack against Brazil’s military, exploiting a zero-day vulnerability (CVE-2025-27915) in Zimbra Collaboration Suite (ZCS). The campaign weaponized a seemingly benign ICS (iCalendar) file containing malicious JavaScript, which executed upon viewing, enabling attackers to steal credentials, manipulate email communications, and exfiltrate sensitive data.

This vulnerability marks one of the first known instances of a zero-day exploit embedded in calendar files within open-source collaboration software. The flaw affects Zimbra versions 9.0, 10.0, and 10.1, allowing cross-site scripting (XSS) via improperly sanitized HTML in ICS files. Once exploited, the malware enables remote code execution within the victim’s browser session.

The attack underscores a growing trend of stealthy social engineering in targeted operations, particularly those directed at military and government entities using widely deployed open-source systems.

Vulnerability Details

The zero-day vulnerability CVE-2025-27915 is a stored cross-site scripting (XSS) flaw that enables arbitrary code execution in the Classic Web Client of Zimbra Collaboration Suite.

Attackers distributed malicious ICS attachments via spear-phishing emails disguised as calendar invites from legitimate sources. The payload exploited an ontoggle event within a <details> HTML tag, allowing JavaScript execution once the recipient viewed the file in Zimbra’s webmail interface.

Once triggered, the exploit granted full access to the victim’s Zimbra session, enabling attackers to:

• Harvest user credentials, email messages, and contact lists.
• Redirect communications or modify mail forwarding rules.
• Steal and exfiltrate sensitive documents and shared folders.

The campaign exhibited advanced obfuscation techniques, including:

• A 60-second delayed execution to evade sandbox detection.
• Execution throttling (only once every three days).
• Session monitoring and automated logout triggers to re-harvest credentials upon user re-login.

While attribution remains unconfirmed, the campaign’s methodology mirrors tactics previously used by Russian-linked threat actors, such as UNC1151 (Ghostwriter), known for credential theft via XSS vulnerabilities.

Vulnerability Metadata:

• CVE ID: CVE-2025-27915
• Vulnerability Type: Cross-Site Scripting (XSS)
• Affected Products: Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, 10.1
• CPE: cpe:2.3:a:zimbra:collaboration::::::::
• CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
• Impact: Stored XSS leading to arbitrary code execution and data exfiltration

Recommendations

• Patch Immediately: Apply Zimbra 9.0.0 P44, 10.0.13, or 10.1.5, which address CVE-2025-27915.
• Disable Classic Web Client: Temporarily disable the Zimbra Classic interface until patching is complete.
• Quarantine ICS Attachments: Configure mail gateways to block or sanitize ICS attachments.
• Deprecate End-of-Life Versions:
  • ZCS 9.0 reached End of Life (EOL) on June 30, 2025.
  • ZCS 10.0 reached End of General Support the same day.
    Organizations using these versions must migrate to ZCS 10.1 or later.
• Migrate Deprecated Platforms:
  Support for RHEL/CentOS 7 and Oracle 7 was discontinued after Zimbra 10.1.10 (July 2025).
  Move to RHEL, Rocky, or Oracle Linux 9 to ensure OS-level security compliance.
• Monitor for Malicious Activity: Review web logs and email activity for signs of ICS-based exploitation or credential anomalies.

Indicators of Compromise (IoCs)

IPv4

• 193[.]29[.]58[.]37

URL

• hxxps[:]//ffrk[.]net/apache2_config_default_51_2_1

Email

• spam_to_junk[@]proton[.]me

SHA256

• ea752b1651ad16bc6bf058c34d6ae795d0b4068c2f48fdd7858f3d4f7c516f37

MITRE ATT&CK TTPs

• TA0001 Initial Access – T1190 (Exploit Public-Facing Application)
• TA0002 Execution – T1203 (Exploitation for Client Execution), T1059, T1059.007 (JavaScript)
• TA0003 Persistence – T1098, T1098.002 (Account Manipulation, Additional Email Delegate Permissions)
• TA0005 Defense Evasion – T1027 (Obfuscated Files or Information), T1036 (Masquerading), T1564 (Hide Artifacts), T1656 (Impersonation)
• TA0006 Credential Access – T1056 (Input Capture), T1078 (Valid Accounts)
• TA0009 Collection – T1114 (Email Collection)
• TA0010 Exfiltration – T1041 (Exfiltration Over C2 Channel)
• TA0011 Command and Control – T1071, T1071.001 (Web Protocols)

References

• Zimbra Security Center
• Zimbra Release Notes – 10.1.5
• Zimbra Release Notes – 10.0.13
• Zimbra Release Notes – 9.0.0 P44
• StrikeReady – 0-Day ICS Attack in the Wild

• MITRE ATT&CK Framework