cbcvebase.
CVE-2025-27915
published 2025-03-12

CVE-2025-27915: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client…

PriorityP275medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-28
Exploited in the wild
EPSS
4.24%
89.8th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Affected

3 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 10.0.0 < 10.0.1310.0.13
synacorzimbra_collaboration_suite>= 10.1.0 < 10.1.510.1.5

Detection & IOCsextracted from sources · hover to see the quote

path/js/zimbraMail/share/model/ZmSettings.js
filename*.ics
otherFilter name: "Correo" (mail forwarding filter to Proton address)
  • The XSS payload executes via an `ontoggle` event inside a `<details>` HTML tag embedded within the ICS file. Inspect ICS attachments for `ontoggle` event handlers.
  • The malicious JavaScript payload was obfuscated using Base64 encoding. Scan the Zimbra message store for Base64-encoded content within .ICS file entries.
  • The payload uses Zimbra SOAP API calls to search folders and retrieve emails. Monitor for anomalous SOAP API usage patterns within authenticated sessions, especially bulk folder/email retrieval.
  • Review all Zimbra mail filters for unauthorized entries, particularly any filter named 'Correo' or any filter forwarding to external Proton Mail addresses.
  • The payload creates hidden username/password fields and steals credentials from login forms. Monitor the DOM for dynamically injected hidden credential fields in Zimbra Classic Web Client sessions.
  • Use the Nuclei template path `/js/zimbraMail/share/model/ZmSettings.js` to fingerprint vulnerable Zimbra versions (9.0.0, 10.0.0–10.0.12, 10.1.0–10.1.4) by extracting the CLIENT_VERSION value.
  • ·Exploitation requires the victim to view the malicious email in the Zimbra Classic Web Client — the vulnerability does not affect other client interfaces.
  • ·Affected versions are ZCS 9.0 (fixed in 9.0.0 P44), 10.0 (fixed in 10.0.13), and 10.1 (fixed in 10.1.5). Patches were released January 27; exploitation began before this date.
  • ·A Zimbra spokesperson stated that based on their data, the exploitation activity does not appear to be widespread, though zero-day use was confirmed.
  • ·CISA's KEV remediation due date for federal agencies (FCEB) is 2025-10-28. BOD 22-01 applies only to federal agencies, but CISA encourages all organizations to patch.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.