A stored cross-site scripting (XSS) vulnerability in Synacor's Zimbra Collaboration Suite (ZCS) has been actively exploited in the wild, leading to a breach of Brazilian military systems. The flaw, identified as CVE-2025-27915, affects Zimbra versions 9.0, 10.0, and 10.1. It arises from insufficient sanitization of HTML content in ICS files within the Classic Web Client, allowing attackers to execute arbitrary scripts when a user views a malicious email containing an ICS entry.
The vulnerability, which carries a CVSS score of 5.4, was disclosed on March 12, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of October 7, 2025. Despite its medium severity rating, the flaw's exploitation in the wild underscores its potential impact, particularly in environments where sensitive information is handled, such as military systems.
The exploitation of CVE-2025-27915 highlights the need for organizations using Zimbra to prioritize patching and implement additional security measures to mitigate the risk of XSS attacks. The Exploit Prediction Scoring System (EPSS) assigns it a probability of 0.261, indicating a moderate likelihood of exploitation, while the Stakeholder-Specific Vulnerability Categorization (SSVC) advises immediate attention.
Organizations using Zimbra Collaboration Suite should ensure they are running the latest patched versions and review their email handling procedures to prevent similar breaches. As attackers continue to leverage this vulnerability, maintaining vigilance and applying timely updates remain critical to safeguarding sensitive systems.
CSURFACE