Zimbra zero-day exploit uses iCalendar files to steal emails and credentials

Zimbra zero-day exploit uses iCalendar files to steal emails and credentials

A new Zimbra zero-day exploit has been used in targeted attacks worldwide. Hackers deployed malicious iCalendar files to inject JavaScript, steal credentials, and access victims’ emails. The flaw allowed remote code execution inside active webmail sessions, giving attackers full control over compromised accounts.

How the Zimbra Zero-Day Exploit Worked

Researchers identified the vulnerability as CVE-2025-27915, a cross-site scripting flaw in Zimbra Collaboration Suite. The bug affected versions 9.0, 10.0, and 10.1.

Hackers embedded malicious JavaScript in .ICS calendar files. When users imported or viewed these files, Zimbra executed the script without validation. This gave attackers access to session tokens, emails, and user credentials.

The injected JavaScript ran directly inside the victim’s mailbox. It could modify mail filters, forward messages, or silently copy data to attacker-controlled servers. In some cases, the script monitored user activity and exfiltrated data in real time.

Attack Campaign and Discovery

The campaign began in early January 2025 and primarily targeted government and military organizations. One confirmed attack spoofed the Libyan Navy’s Office of Protocol and hit a Brazilian military network.

Cybersecurity firm StrikeReady uncovered the zero-day while analyzing large .ICS attachments containing obfuscated JavaScript. They reported that these calendar files exceeded 10 KB and contained encoded payloads hidden in event descriptions.

The exploit was used before Zimbra could issue a fix, making it a genuine zero-day. The company patched the flaw on January 27, releasing ZCS versions 9.0.0 P44, 10.0.13, and 10.1.5.

Impact and Attribution

The Zimbra zero-day exploit enabled attackers to steal:

  • Usernames and passwords
  • Full email contents
  • Contact lists and distribution groups
  • Configuration data and authentication cookies

Researchers noted similarities to campaigns linked to Belarusian and Russian threat actors, though attribution remains unconfirmed. The use of social engineering and government-themed lures suggests a state-sponsored operation.

How to Protect Zimbra Users

  • Install patches immediately. Update to ZCS 9.0.0 P44, 10.0.13, or 10.1.5.
  • Block suspicious .ICS files. Flag calendar attachments larger than 10 KB or containing HTML or JavaScript.
  • Monitor mailbox rules. Check for new filters or auto-forwarding created without authorization.
  • Review API logs. Limit SOAP API access to verified systems.
  • Educate users. Warn staff about unsolicited calendar invitations or meeting requests.

Conclusion

The Zimbra zero-day exploit proves that even harmless file formats can hide sophisticated attacks. By embedding JavaScript in iCalendar files, hackers bypassed traditional defenses and stole sensitive data directly from mailboxes.
Patching, monitoring, and user awareness remain essential to prevent further exploitation.

Siyana Georgieva

0 responses to “Zimbra zero-day exploit uses iCalendar files to steal emails and credentials”