A zero-day stored cross-site scripting (XSS) vulnerability (CVE-2025-27915, CVSS 5.4) in Zimbra Collaboration’s Classic Web Client was exploited in targeted cyber attacks against the Brazilian military. The flaw, stemming from insufficient HTML sanitization in ICS calendar files, allowed arbitrary JavaScript execution when victims viewed malicious emails. Attackers, posing as the Libyan Navy’s Office of Protocol, deployed a data-stealing script that exfiltrated credentials, emails, contacts, and shared folders to an external server (ffrk[.]net). The script also created hidden Zimbra email filters (named 'Correo') to forward messages to spam_to_junk@proton.me, evading detection by delaying execution for over three days.The breach enabled unauthorized access to sensitive military communications, risking operational security and intelligence leaks. While the patch was released in January 2025, the exploitation occurred earlier, with StrikeReady Labs confirming in-the-wild activity in September 2025. The attack mirrors tactics used by Russian APT28 and other groups (Winter Vivern, UNC1151), suggesting state-sponsored or advanced persistent threat involvement. The stolen data could compromise national security, diplomatic communications, and personnel safety, though the full extent of the damage remains undisclosed.
Source: https://thehackernews.com/2025/10/zimbra-zero-day-exploited-to-target.html
TPRM report: https://www.rankiteo.com/company/marinhadobrasil
"id": "mar3962239100625",
"linkid": "marinhadobrasil",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Defense',
'location': 'Brazil',
'name': 'Brazilian Military',
'type': 'Government/Military'},
{'customers_affected': 'Users of Zimbra Classic Web '
'Client (versions < 9.0.0 Patch '
'44, 10.0.13, 10.1.5)',
'industry': 'Software/Email Collaboration',
'location': 'Global (HQ: Buffalo, NY, USA)',
'name': 'Zimbra Collaboration (Synacor, Inc.)',
'type': 'Corporation'}],
'attack_vector': ['Phishing (Spoofed Email)',
'Malicious ICS Calendar File',
'Stored XSS (CVE-2025-27915)'],
'customer_advisories': ['Zimbra urged users to patch in January 2025 '
'advisory.'],
'data_breach': {'data_exfiltration': 'Yes (to ffrk[.]net and '
'spam_to_junk@proton.me)',
'file_types_exposed': ['ICS Calendar Files',
'Emails',
'Contacts'],
'personally_identifiable_information': 'Likely (emails, '
'contacts, '
'credentials)',
'sensitivity_of_data': 'High (military communications, PII)',
'type_of_data_compromised': ['Credentials',
'Emails',
'Contacts',
'Shared Folders']},
'date_publicly_disclosed': '2025-09-30',
'date_resolved': '2025-01-27',
'description': 'A now-patched stored cross-site scripting (XSS) vulnerability '
"(CVE-2025-27915, CVSS score: 5.4) in Zimbra Collaboration's "
'Classic Web Client was exploited as a zero-day in cyber '
'attacks targeting the Brazilian military. The flaw arises '
'from insufficient sanitization of HTML content in ICS '
'calendar files, enabling arbitrary JavaScript execution when '
'a user views a malicious email. Attackers used spoofed Libyan '
'Navy Protocol Office emails with malicious ICS files to steal '
'credentials, emails, contacts, and shared folders, forwarding '
'them to an external server (ffrk[.]net) and adding malicious '
'Zimbra email filter rules to redirect messages to '
'spam_to_junk@proton.me. The attack employed evasion '
'techniques, including UI element hiding and a 3-day delay '
'before execution. The vulnerability was patched in Zimbra '
'versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 (released '
'January 27, 2025).',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Brazilian military and Zimbra (due to '
'zero-day exploitation)',
'data_compromised': ['Credentials',
'Emails',
'Contacts',
'Shared Folders'],
'identity_theft_risk': 'High (credentials and PII compromised)',
'operational_impact': ['Unauthorized Email Redirection',
'Data Exfiltration to External Server '
'(ffrk[.]net)',
"Malicious Filter Rules Added ('Correo')"],
'systems_affected': ['Zimbra Collaboration (Classic Web Client)']},
'initial_access_broker': {'backdoors_established': ['Malicious Zimbra email '
"filter rules ('Correo')"],
'entry_point': 'Malicious ICS file in spoofed '
'Libyan Navy Protocol Office email',
'high_value_targets': ['Brazilian Military '
'Personnel',
'Shared Folders',
'Sensitive Emails']},
'investigation_status': 'Ongoing (threat actor attribution unclear)',
'lessons_learned': 'Zero-day vulnerabilities in widely used collaboration '
'tools can be leveraged for targeted espionage. Delayed '
'execution and UI hiding techniques can evade detection. '
'Spoofing legitimate entities (e.g., Libyan Navy) '
'increases attack success rates. Regular patching and '
'monitoring for anomalous email filters/rules are '
'critical.',
'motivation': ['Espionage', 'Credential Theft', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Patch vulnerability '
'(CVE-2025-27915).',
'Enhance input validation '
'for ICS files.',
'Improve detection of '
'anomalous email '
'rules/filters.',
'Conduct user awareness '
'training on spoofed '
'emails.'],
'root_causes': ['Insufficient HTML sanitization in '
'Zimbra Classic Web Client (ICS '
'files).',
'Lack of detection for '
'delayed-execution scripts.',
'Effective spoofing of high-trust '
'sender (Libyan Navy).']},
'recommendations': ['Apply Zimbra patches immediately (versions 9.0.0 Patch '
'44+, 10.0.13+, 10.1.5+).',
'Monitor for unusual email filter rules (e.g., named '
"'Correo').",
'Inspect ICS calendar files for embedded JavaScript.',
'Implement stricter HTML sanitization in webmail clients.',
'Train users to recognize spoofed emails, especially from '
'high-profile senders.',
'Deploy behavioral analysis to detect delayed or hidden '
'malicious scripts.'],
'references': [{'source': 'NIST National Vulnerability Database (NVD)',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2025-27915'},
{'date_accessed': '2025-09-30',
'source': 'StrikeReady Labs Report'},
{'date_accessed': '2025-01-27',
'source': 'Zimbra Security Advisory'},
{'source': 'ESET Research on APT28'}],
'response': {'containment_measures': ['Zimbra patch release (2025-01-27)'],
'remediation_measures': ['Update to Zimbra 9.0.0 Patch 44+, '
'10.0.13+, or 10.1.5+'],
'third_party_assistance': ['StrikeReady Labs (investigation)']},
'threat_actor': 'Unknown (Potential Links to APT28, Winter Vivern, or UNC1151 '
'based on TTPs)',
'title': 'Zero-Day Exploitation of CVE-2025-27915 in Zimbra Collaboration '
'Targeting Brazilian Military',
'type': ['Cyber Espionage', 'Data Theft', 'Zero-Day Exploitation'],
'vulnerability_exploited': 'CVE-2025-27915 (Stored XSS in Zimbra Classic Web '
'Client via ICS files)'}