388/68 Tuesday, October 7, 2025
Cybersecurity researchers from StrikeReady Labs have uncovered an in-the-wild attack exploiting a Zero-Day vulnerability in Zimbra Collaboration, tracked as CVE-2025-27915 (CVSS 5.4), targeting the Brazilian military through malicious ICS calendar files. Attackers impersonated the Office of Protocol of the Libyan Navy and sent emails with weaponized ICS attachments. When opened, a hidden JavaScript event embedded within a <details> tag was executed directly, allowing attackers to run arbitrary code within the victim’s session.
Analysis revealed that the ICS files contained a JavaScript Data Stealer designed to exfiltrate sensitive data such as credentials, emails, contact lists, and shared folders, sending the stolen information to ffrk[.]net. The malware also searched specific email folders and created a new email filter rule named “Correo” to automatically forward messages to spam_to_junk@proton[.]me. To avoid detection, the code was crafted to hide UI elements and trigger only after three days, reducing the likelihood of being discovered.
The vulnerability was patched on January 27, 2025, in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5. Although Zimbra’s advisory did not initially mention active exploitation, this case serves as conclusive evidence of real-world attacks. Previously, threat groups such as Russia’s APT28, Winter Vivern, and UNC1151 (Ghostwriter) were reported to have used similar tactics, exploiting XSS vulnerabilities in other webmail systems including Roundcube, Horde, and MDaemon, to steal user data.
Source https://thehackernews.com/2025/10/zimbra-zero-day-exploited-to-target.html
