Researchers at cybersecurity firm StrikeReady have uncovered a campaign targeting users of Zimbra Collaboration Suite (ZCS), exploiting a cross-site scripting (XSS) vulnerability in calendar invite (.ICS) files.
The flaw, tracked as CVE-2025-27915, was used in attacks earlier this year, months before a fix was publicly released. The vulnerability affects ZCS versions 9.0, 10.0, and 10.1, and stems from insufficient sanitization of HTML content within ICS attachments.
ICS files, commonly used to share calendar events across platforms, were weaponized through embedded JavaScript, allowing attackers to hijack user sessions, set email filters, and exfiltrate data.
Zimbra issued patches on January 27, releasing ZCS 9.0.0 P44, 10.0.13, and 10.1.5, but did not initially disclose that the flaw had been actively exploited.
According to StrikeReady, the campaign began in early January and included a targeted attack on a Brazilian military organization. The malicious email, spoofing the Libyan Navy’s Office of Protocol, contained an obfuscated JavaScript payload embedded in a 00KB ICS file. Once triggered, the script was able to steal webmail credentials, contacts, emails, and shared folder data from Zimbra’s webmail interface.
The attack leveraged complex JavaScript techniques, including asynchronous execution and Immediately Invoked Function Expressions (IIFEs).
While StrikeReady could not definitively link the campaign to a specific threat actor, they noted that only a small number of groups are capable of discovering and exploiting zero-day vulnerabilities in widely used software. One such prolific actor, the researchers said, is Russian-linked, though they also highlighted that the tactics and techniques were similar to methods observed in operations of UNC1151, a group previously attributed to the Belarusian government.