A packed safety vulnerability in Zimbara Cooperation was now exploited as a zero-day earlier this year in cyber attacks that targeted the Brazilian army earlier this year.
Tracked Cve-2025-27915 (CVSS Score: 5.4), Vulnerability Classic Web Client has a stored cross-site scripting (XSS) vulnerability that resulted in resulting as a result of insufficient hygiene of HTML content in ICS calendar files, resulting in arbitrary code execution.
According to the details of the defect in the Nist National Valnarability Database (NVD), “When a user sees an email message, its embedded JavaScript one <विवरण> Inside the tag is executed through an ontoggle event, “according to the details of the defect in the NIST National Report Database (NVD).
“This allows an attacker to run JavaScript arbitrarily within the victim’s session, probably leads to the resolve to redirect messages at an attacker-controlled address. As a result, an attacker can take unauthorized action in the victim’s account, including email rejuvenation and data exemplation.”
The versions issued on 27 January 2025 were addressed by Zimbara as part of 9.0.0 Patch 44, 10.0.13, and 10.1.5. The advisor, however, does not mention it, which was exploited in real -world attacks.
However, on September 30, 2025, according to a report published by StrikeryDe Labs, the in-walled activity included unknown threats, which spoil the office of the Libyan Navy protocol to target the Brazilian army using the guilty ICS files, which exploited the defects.
The ICS file has a JavaScript code designed to act as a comprehensive data steeler for an external server (“FFRK (” FFRK (“FFRK (” FFRK (“FFRK (” FFRK.[.]Net “). It also discovers for email in a specific folder, and adds malicious Zimbra email filter rules with the name” Correo “to forward messages on spam_to_junk@proton.me.
As a way to avoid detection, the script is fashioned in such a way that it hides some user interface elements and explodes only when it has passed over three days since last time executed.
It is not currently clear who is behind the attack, but earlier this year, the ESET revealed that the Russian threats known as APT28, exploited XSS weaknesses in various webmail solutions from Roundcube, hoarde, mdaemon, and Zimbra, which was to achieve unpublished access.
A similar modus operandi has been adopted by other hacking groups such as Winter Waven and UnC1151 (aka Ghosteritter).
