Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year.
ICS files, also known as iCalendar files, are used to store calendar and scheduling information (meetings, events, and tasks) in plain text, and to exchange it between various calendar applications.
Threat actors exploited CVE-2025-27915, a cross-site scripting (XSS) vulnerability in ZCS 9.0, 10.0, and 10.1, to deliver a JavaScript payload onto target systems.
The vulnerability stems from insufficient sanitization of HTML content in ICS files, which allowed attackers to execute arbitrary JavaScript within the victim's session, like setting filters that redirect messages to them.
Zimbra addressed the security issue on January 27 by releasing ZCS 9.0.0 P44, 10.0.13, and 10.1.5, but did not mention any active exploitation activity.
However, researchers at StrikeReady, a company that develops an AI-driven security operations and threat management platform, discovered the attack after keeping an eye out for .ICS files that were larger than 10KB and included JavaScript code.
They determined that the attacks had started at the beginning of January, before Zimbra released the patch.
The threat actor spoofed the Libyan Navy’s Office of Protocol in an email that delivered a zero-day exploit that targeted a Brazilian military organization.
Malicious email sent by the attackers
Source: StrikeReady
... continue reading