🟢 CVE-2025-27915

This is a stored XSS vulnerability in Zimbra Collaboration Server that requires a user to view a malicious email containing a crafted ICS calendar file. Despite being in CISA KEV, this is not a direct server compromise but rather a client-side attack targeting user sessions.

← Back to Overview
LOW_RISK
Risk Level
5.4
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-03-12

Added to CISA KEV: 2025-10-07 209 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability affecting the Classic Web Client of the Zimbra Collaboration Suite (ZCS) [3] [1].

Active Exploitation and Threat Actor Usage
  • Status: This vulnerability was confirmed to be exploited in the wild as a zero-day earlier in 2025 [2] [5].
  • Targeted Attacks: It was specifically used in targeted cyberattacks against the Brazilian military [2] [6]. There is no public information linking this specific vulnerability to broad, automated ransomware campaigns.
Attack Method and Requirements
  • Method: The vulnerability stems from insufficient sanitization of HTML content within `.ics` (calendar) files [3].
  • Exploitation: An attacker sends an email containing a malicious `.ics` file. When a user views the email, the embedded JavaScript executes automatically via an `ontoggle` event inside a `
    ` HTML tag [1].
  • Requirements:
* User Interaction: Yes, the victim must view the email containing the malicious ICS attachment [1]. * Access: It is a remote attack vector, as it is delivered via email [1].
Impact
  • Successful exploitation allows for the execution of arbitrary JavaScript in the context of the victim's session [1]. This can lead to email hijacking, session theft, or other malicious actions performed on behalf of the authenticated user [4].
Affected Versions and Mitigation
  • Affected Versions: Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1 are affected [4] [1].
  • Status: The vulnerability has been patched by the vendor [2]. Users are advised to apply the latest security patches provided by Zimbra to remediate the issue [5].
Proof-of-Concept Availability
  • While technical details regarding the `ontoggle` event exploitation are publicly documented, there is no widespread availability of a "plug-and-play" exploit tool mentioned in standard security advisories; the focus has been on the method of delivery via malicious calendar files [1] [6].

Sources

  1. CVE-2025-27915 - Vulnerability Details - OpenCVE

    An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its emb…

  2. Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ...

    A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client…

  3. CVE-2025-27915 Detail - NVD

    A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official,…

  4. CVE-2025-27915 - Stored XSS in Zimbra 9/10 Allows Email Hijack via ...

    CVE-2025-27915 - Stored XSS in Zimbra 9/10 Allows Email Hijack via Malicious ICS Files A newly disclosed vulnerability, CVE-2025-27915, affects Zimbra Collaboration Suite (ZCS) versions 9., 10., and 10.1. Zimbra is a widely-used open-source email and collaboration platform with millions of users wor…

  5. CVE-2025-27915 — Synacor Zimbra Collaboration Suite (ZCS) Cross-site ...

    Confirmed exploited in the wild. Added 2025-10-07. Federal remediation due 2025-10-28. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  6. 0day .ICS attack in the wild | StrikeReady Blog

    ... CVE-2025-27915, targeting Brazil's military. This leveraged a malicious .ICS file, a popular calendar format.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed