CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability identified in the Classic Web Client of Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1. The root cause is insufficient sanitization of HTML content embedded within ICS calendar files attached to emails. Specifically, the vulnerability leverages the ontoggle event handler inside a <details> HTML tag, which allows embedded JavaScript code to execute when a user views the malicious email containing the crafted ICS file. This JavaScript runs within the context of the victim’s authenticated session, enabling an attacker to perform unauthorized actions such as modifying email filters to redirect incoming mail to attacker-controlled addresses. This can facilitate data exfiltration and further compromise of the victim’s email account. The vulnerability requires the victim to open or preview the malicious email, and the attacker must have at least limited privileges to send emails to the victim. The CVSS 3.1 score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges and user interaction. No public exploits are known at this time, but the vulnerability poses a significant risk due to the potential for persistent unauthorized actions within the victim’s mailbox. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No official patches have been linked yet, so organizations should monitor vendor advisories closely.

The impact of CVE-2025-27915 on organizations can be significant, especially for those relying on Zimbra Collaboration Suite for email and calendaring. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s session, leading to unauthorized modification of email filters. This can result in sensitive emails being redirected to attacker-controlled accounts, enabling data leakage and espionage. Additionally, attackers may manipulate mailbox settings or perform other unauthorized actions, undermining the confidentiality and integrity of email communications. Although availability is not directly affected, the compromise of email accounts can disrupt business operations and trust. Organizations with high-value targets or sensitive communications are at increased risk. The medium severity score indicates moderate risk, but the potential for persistent unauthorized access and data exfiltration elevates the threat. The lack of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2025-27915, organizations should first monitor Zimbra’s official channels for patches and apply them promptly once available. In the absence of patches, administrators can implement several practical mitigations: 1) Disable automatic rendering or previewing of ICS attachments in the Classic Web Client to prevent automatic execution of malicious content. 2) Implement strict email filtering to block or quarantine emails containing ICS attachments from untrusted sources. 3) Educate users to avoid opening suspicious calendar invites or emails with ICS files from unknown senders. 4) Employ Content Security Policy (CSP) headers if possible to restrict JavaScript execution within the web client. 5) Review and restrict mailbox filter creation permissions to limit unauthorized changes. 6) Monitor mailbox filter configurations and logs for unusual changes indicative of exploitation attempts. 7) Consider upgrading to newer Zimbra versions or alternative clients that do not exhibit this vulnerability. These targeted steps go beyond generic advice and focus on reducing attack surface and detecting exploitation attempts.