CVE-2025-27915
published 2025-03-12CVE-2025-27915: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client…
PriorityP275medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-28
Exploited in the wild
EPSS
4.24%
89.8th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 10.0.0 < 10.0.13 | 10.0.13 |
| synacor | zimbra_collaboration_suite | >= 10.1.0 < 10.1.5 | 10.1.5 |
Detection & IOCsextracted from sources · hover to see the quote
path/js/zimbraMail/share/model/ZmSettings.js
- →The XSS payload executes via an `ontoggle` event inside a `<details>` HTML tag embedded within the ICS file. Inspect ICS attachments for `ontoggle` event handlers. ↗
- →The malicious JavaScript payload was obfuscated using Base64 encoding. Scan the Zimbra message store for Base64-encoded content within .ICS file entries. ↗
- →The payload uses Zimbra SOAP API calls to search folders and retrieve emails. Monitor for anomalous SOAP API usage patterns within authenticated sessions, especially bulk folder/email retrieval. ↗
- →Review all Zimbra mail filters for unauthorized entries, particularly any filter named 'Correo' or any filter forwarding to external Proton Mail addresses. ↗
- →The payload creates hidden username/password fields and steals credentials from login forms. Monitor the DOM for dynamically injected hidden credential fields in Zimbra Classic Web Client sessions. ↗
- →Use the Nuclei template path `/js/zimbraMail/share/model/ZmSettings.js` to fingerprint vulnerable Zimbra versions (9.0.0, 10.0.0–10.0.12, 10.1.0–10.1.4) by extracting the CLIENT_VERSION value.
- ·Exploitation requires the victim to view the malicious email in the Zimbra Classic Web Client — the vulnerability does not affect other client interfaces. ↗
- ·Affected versions are ZCS 9.0 (fixed in 9.0.0 P44), 10.0 (fixed in 10.0.13), and 10.1 (fixed in 10.1.5). Patches were released January 27; exploitation began before this date. ↗
- ·A Zimbra spokesperson stated that based on their data, the exploitation activity does not appear to be widespread, though zero-day use was confirmed. ↗
- ·CISA's KEV remediation due date for federal agencies (FCEB) is 2025-10-28. BOD 22-01 applies only to federal agencies, but CISA encourages all organizations to patch. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5rg8-g76j-7fw7: An issue was discovered in Zimbra Collaboration (ZCS) 9
ghsa_unreviewed·2025-03-12
CVE-2025-27915 [MEDIUM] CWE-79 GHSA-5rg8-g76j-7fw7: An issue was discovered in Zimbra Collaboration (ZCS) 9
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
vulncheck·2025·CVSS 5.4
CVE-2025-27915 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Affected: Synacor Zimbra Collaboration Suite (ZC
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
cisa·2025-10-07·CVSS 5.4
CVE-2025-27915 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and da
No detection rules found.
Nuclei
Zimbra - Cross-Site Scripting via ICS Files
nuclei·CVSS 5.4
CVE-2025-27915 [MEDIUM] Zimbra - Cross-Site Scripting via ICS Files
Zimbra - Cross-Site Scripting via ICS Files
Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
Template:
id: CVE-2025-27915
info:
name: Zimbra - Cross-Site Scripting via ICS Files
author: Snbig,EhsanCreator,eliotworkspac-max
severity: medium
description: |
Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content
Bleepingcomputer
CISA orders feds to patch Zimbra XSS flaw exploited in attacks
blogs_bleepingcomputer·2026-03-18·CVSS 7.2
CVE-2025-66376 [HIGH] CISA orders feds to patch Zimbra XSS flaw exploited in attacks
## CISA orders feds to patch Zimbra XSS flaw exploited in attacks
## Sergiu Gatlan
CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS).
Zimbra is a very popular email and collaboration software suite used by hundreds of millions of people worldwide, including thousands of businesses and hundreds of government agencies.
Tracked as CVE-2025-66376 and patched in early November, this high-severity security flaw stems from a stored cross-site scripting (XSS) weakness in the Classic UI that remote unauthenticated attackers could exploit by abusing Cascading Style Sheets (CSS) @import directives in email HTML.
While Synacor (the company behind Zimbra) didn't share any details on the impact of a
Bleepingcomputer
Hackers exploited Zimbra flaw as zero-day using iCalendar files
blogs_bleepingcomputer·2025-10-05·CVSS 5.4
CVE-2025-27915 [MEDIUM] Hackers exploited Zimbra flaw as zero-day using iCalendar files
## Hackers exploited Zimbra flaw as zero-day using iCalendar files
## Bill Toulas
Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year.
ICS files, also known as iCalendar files, are used to store calendar and scheduling information (meetings, events, and tasks) in plain text, and to exchange it between various calendar applications.
Threat actors exploited CVE-2025-27915, a cross-site scripting (XSS) vulnerability in ZCS 9.0, 10.0, and 10.1, to deliver a JavaScript payload onto target systems.
The vulnerability stems from insufficient sanitization of HTML content in ICS files, which allowed attackers to execute arbitrary JavaScript within the victim's session, like se
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixeshttps://strikeready.com/blog/0day-ics-attack-in-the-wild/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915
2025-03-12
Published
2025-10-07
Added to CISA KEV
Exploited in the wild