October 6, 2025 By Pierluigi Paganini
Threat actors exploited a Zimbra zero-day via malicious iCalendar (.ICS) files used to deliver attacks through calendar attachments.
StrikeReady researchers discovered that threat actors exploited the vulnerability CVE-2025-27915 in Zimbra Collaboration Suite in zero-day attacks using malicious iCalendar (.ICS) files. These files, used to share calendar data, were weaponized to deliver JavaScript payloads to targeted systems earlier this year.
CVE-2025-27915 is a stored XSS flaw in Zimbra Collaboration Suite (versions 9.0–10.1) caused by improper HTML sanitization in ICS files. When victims open an email with a malicious ICS entry, JavaScript executes via an <ontoggle> event, allowing attackers to hijack sessions, set email redirects, and exfiltrate data.
