On October 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-27915—an actively exploited vulnerability in Zimbra Collaboration Suite (ZCS)—to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent remediation for all organizations leveraging Zimbra’s Classic Web Client.
What is CVE-2025-27915?
CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability in Zimbra ZCS versions 9.0, 10.0, and 10.. The vulnerability stems from insufficient sanitization of HTML content in imported iCalendar (.ICS) files. Attackers can craft a malicious ICS file containing embedded JavaScript, which triggers when a user previews or opens the calendar invite within the Classic Web Client.
Once triggered, the attacker’s JavaScript runs in the user’s session, allowing:
- Theft of sensitive user data and cookies
- Creation of unauthorized mail filters and rules
- Email redirection to attacker-controlled accounts
- Full session hijacking and post-exploitation persistence
Exploitation in the Wild
This vulnerability has been exploited in targeted campaigns against government, military, and commercial sectors, including a high-profile attack on Brazil’s military earlier this year. Attackers leveraged emails with malicious ICS attachments to compromise Zimbra Classic Web Client users and establish long-term access to sensitive mailboxes.
The exploit specifically abuses the “ontoggle” event within a <details> HTML tag inside the ICS file, bypassing Zimbra’s input sanitization and executing arbitrary JavaScript.
CISA KEV Addition: What Does It Mean?
CISA’s inclusion of CVE-2025-27915 in its KEV catalog signals confirmation of active exploitation and heightens the urgency for patching or mitigation. Under CISA’s Binding Operational Directive 22-01, all U.S. federal agencies are required to address KEV-listed flaws by patching or implementing workarounds. CISA strongly urges all organizations worldwide—including enterprises and service providers—to remediate immediately.
Patch and Mitigation Guidance
- Patched Versions: Zimbra has released security updates for ZCS 9.0 (Patch 44), 10.0.13, and 10.1.5 as of January 27, 2025. Applying these patches fully addresses CVE-2025-27915.
- If immediate patching is not possible: Disable the Classic Web Client as a temporary defense, and monitor for suspicious ICS attachments in your mailflow.
- Proactive hunting: Review existing inbox rules and mail filters for signs of manipulation, and investigate any use of ICS files with embedded JavaScript.
Detecting and Responding to Attacks
Security teams should:
- Audit mailboxes for unauthorized filters or rules—these are a common persistence technique
- Monitor for abnormal egress patterns and credentials reuse
- Rotate user credentials if compromise is suspected
- Add mail gateway controls to block incoming ICS files with script-like patterns
Why This Should Be Prioritized
Given its low exploitation complexity, high impact, documented in-the-wild abuse, and privileged mail context, CVE-2025-27915 is a critical risk. Organizations using Zimbra Classic Web Client should elevate this patch to the highest priority, consistent with the intent behind CISA’s KEV list.
