Researchers uncovered zero-day exploits in Zimbra Collaboration Suite (ZCS) using a cross-site scripting vulnerability (CVE-2025-27915) to deliver malicious JavaScript payloads via ICS files. These attacks targeted military organizations and involved sophisticated credential theft and data exfiltration techniques, with signs of potential attribution to Russian-linked and Belarusian threat groups. #Zimbra #CVE202527915
Keypoints
- Researchers detected zero-day attacks exploiting a flaw in Zimbra Collaboration Suite through large ICS files.
- The vulnerability allows execution of malicious JavaScript embedded in ICS files due to poor sanitization.
- The threat actors used obfuscated scripts to steal credentials, emails, contacts, and shared folder data.
- The attacks included spoofed emails from the Libyan Navy and targeted military organizations, revealing geopolitical motives.
- Similar tactics are associated with threat groups UNC1151 and a Russian-linked hacking group, though attribution remains uncertain.