CISA has issued an urgent alert regarding a newly discovered zero-day cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite (ZCS) that is being actively exploited by threat actors.
The flaw allows attackers to hijack user sessions, steal sensitive data, and manipulate email filters without requiring elevated privileges.
With proof-of-concept exploits already in the wild, ZCS administrators are urged to implement available patches or follow interim mitigation strategies immediately to prevent unauthorized access and potential data breaches.
Overview of the Vulnerability
The vulnerability arises from insufficient sanitization of HTML content in calendar invitation files (ICS) when viewed using the Classic Web Client interface.
An attacker crafts a malicious ICS entry that embeds JavaScript code within the event’s ontoggle attribute.
When an unsuspecting user opens an email containing the compromised ICS attachment, the injected script executes in the context of the user’s session.
This execution grants the attacker the same privilege level as the victim, enabling them to perform a range of actions, including altering email filters, forwarding messages, and exfiltrating sensitive information.
| Product | CVE ID | Vulnerability Description |
|---|---|---|
| Zimbra Collaboration Suite (ZCS) | CVE-2025-27915 | ZCS Classic Web Client fails to sanitize HTML content in ICS files. Viewing a malicious ICS entry triggers embedded JavaScript via the ontoggle event, allowing arbitrary script execution in the user’s session. |
CISA added this XSS flaw to its Known Exploited Vulnerabilities Catalog on October 7, 2025, assigning an action deadline of October 28, 2025. The vulnerability carries a CVSS score of 7.5, indicating high severity.
Because the exploit requires only that a user view an email, attackers can leverage phishing campaigns or send malicious calendar invites directly to employees to trigger the exploit.
Once the script runs, adversaries can persistently manipulate mailbox settings to forward incoming messages, harvest credentials from web sessions, or install backdoors for further network penetration.
Though no specific ransomware groups have publicly claimed use of this vulnerability, its simplicity and impact make it a likely addition to targeted email-based campaigns.
CISA recommends that all ZCS administrators review vendor advisories and apply official patches or workarounds immediately.
For cloud-hosted deployments, organizations should follow the Cloud Security Technical Reference Architecture guidance under BOD 22-01.
In environments where fixes are not yet available, administrators may disable the Classic Web Client or temporarily suspend affected Zimbra servers until updates are released.
Monitoring systems should be configured to detect unusual ICS file attachments and suspicious changes to email filter configurations.
Security teams are also advised to tighten email attachment policies by implementing content inspection rules for ICS files and to educate end users about the risks associated with unexpected calendar invites.
Timely patching and vigilant monitoring remain the most effective defenses against exploitation of CVE-2025-27915.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The flaw allows attackers to hijack user sessions, steal sensitive data, and manipulate email filters without requiring elevated privileges.){kind=link}