A cross-site scripting (XSS) in Synacor Zimbra Collaboration Suite (ZCS) — tracked as CVE-2025-27915 — has been confirmed to be actively exploited in the wild, prompting CISA to add the to its Known Exploited (KEV) catalog.
Researchers discovered that specially crafted .ICS (iCalendar) attachments were used to smuggle executable JavaScript into Zimbra Webmail. StrikeReady observed attacks that abused oversized ICS files (more than ~10 KB) containing obfuscated JavaScript and concluded the campaign had started at the beginning of January, prior to Zimbra’s patch release.
The technical root cause is straightforward: the calendar parser failed to sanitize HTML in ICS payloads. That weakness allowed attackers to execute arbitrary JavaScript within the victim’s session, like setting filters that redirect messages to them.
StrikeReady’s analysis shows the malicious ICS carried obfuscated JavaScript (Base64-encoded) that, once executed in a victim’s browser session, performed a comprehensive set of data-theft and persistence actions. The researchers found the payload could, among other things, “create hidden username/password fields,” “steal credentials from login forms,” “use Zimbra SOAP API to search folders and retrieve emails,” and “add a filter named ‘Correo’ to forward mail to a Proton address.”
The code was designed for stealth and longevity: it runs in asynchronous IIFEs, hides UI elements to lower visual suspicion, delays execution by 60 seconds, and only repeats its full data-harvest routine every three days. StrikeReady concluded the malicious script was capable of exfiltrating credentials, contacts, distribution lists and shared folders — effectively turning a single inbox into a long-term espionage foothold.
StrikeReady identified one highly targeted early incident in which the attacker spoofed the Libyan Navy’s Office of Protocol to deliver the exploit against a Brazilian military organization. The company could not attribute the campaign with high confidence to a single threat actor but noted that the capability to discover and weaponize such zero-days is limited to a small set of attackers; similar TTPs have previously been observed from groups like UNC1151.
Synacor released fixes on January 27 in ZCS builds 9.0.0 P44, 10.0.13, and 10.1.5. The advisory notes that Zimbra issued patches but did not initially mention the active exploitation — researchers, however, found evidence the exploit was in the wild before the patch.
In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified by October 28, 2025, to secure their networks.
- Chinese APT Launches Spearphishing Campaign, Using Fake Cloudflare Lure to Deliver PlugX Malware
- Zimbra Email Servers Under Attack: CISA Flags CVE-2024-45519 as Actively Exploited
- Active Exploits Target Zimbra Collaboration: Over 19K Systems Vulnerable to CVE-2024-45519
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
- PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
