Image by charlesdeluvio, from Unsplash
Hackers Exploit Zimbra Flaw Via iCalendar Files To Steal Data
Reading time: 2 min
Last Updated: Oct 7, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Hackers have exploited a previously unknown flaw in Zimbra Collaboration Suite (ZCS) using iCalendar (.ICS) files to steal sensitive data, researchers at StrikeReady revealed.
In a rush? Here are the quick facts:
- The vulnerability affected ZCS versions 9.0, 10.0, and 10.1.
- Attackers stole credentials, emails, contacts, and shared folders from Zimbra Webmail.
- The malware executed asynchronously, hiding UI elements and evading detection.
ICS files function as a format to distribute calendar data including meetings and events between various applications. However, attackers discovered a cross-site scripting (XSS) vulnerability tracked as CVE-2025-27915 in ZCS versions 9.0, 10.0, and 10.1.
The security problem occurred because HTML sanitization of calendar files was insufficient, allowing attackers to insert dangerous JavaScript code to steal user session credentials.
StrikeReady detected the attack through their monitoring of big ICS files which contained JavaScript code. The researchers discovered that the attack operation started during early January before Zimbra released security updates on January 27.
“The threat actor spoofed the Libyan Navy’s Office of Protocol in an email that delivered a zero-day exploit that targeted a Brazilian military organization,” researchers said.
The attackers embedded Base64-encoded ICS files into their malicious emails to conceal their obfuscated JavaScript code. The executed code would enable attackers to steal Zimbra Webmail user credentials, together with their email content, contact information, and shared folder access.
It also used the Zimbra SOAP API to search for emails, forwarded messages to a ProtonMail address, and repeatedly sent stolen data every four hours.
The malware contains three main functions which enable it to conceal user interface elements and steal credentials by detecting user logout, and implementing a three-day reactivation delay for evading detection.
While StrikeReady couldn’t confirm the attackers’ identity, they noted that “a Russian-linked group is especially prolific” at exploiting such vulnerabilities. They also observed tactics similar to those used by UNC1151, a group linked to the Belarusian government.
BleepingComputer received a statement from Zimbra which indicated that the company does not think the exploit exists at large scale.
However, the company states that users should update their systems right away, and monitor their network activity for suspicious behavior, as well as check their filters for unauthorized modifications.
Previous Story
Latest articles 
