Zimbra Zero-Day Fiasco: Brazilian Military Targeted in ICS Calendar Hack Attack
A zero-day vulnerability in Zimbra Collaboration, tracked as CVE-2025-27915, was exploited in cyber attacks against the Brazilian military. The flaw allowed bad actors to execute arbitrary JavaScript via malicious ICS files, leading to unauthorized actions like email redirection. Zimbra patched the issue in January 2025, but not before the damage was done.
Hot Take:
Looks like the Brazilian military got an uninvited email from their “friends” at the Libyan Navy’s Office of Protocol. If only there were an emoji for “Oops, wrong address and also, we’re hacking you!” This Zimbra vulnerability is like inviting a vampire into your inbox—once it’s in, it’s hard to get rid of. Yet again, our inboxes are the front lines in the never-ending war of cyber-espionage, and the only thing scarier than this XSS attack is my spam folder.
Key Points:
- Zimbra Collaboration had a zero-day vulnerability, CVE-2025-27915, exploited in attacks against the Brazilian military.
- The flaw was a stored cross-site scripting vulnerability in the Classic Web Client.
- Malicious ICS calendar files were used to execute arbitrary JavaScript code.
- The attack was reportedly conducted by spoofing the Libyan Navy’s Office of Protocol.
- Similar techniques have been used by other notorious hacking groups like APT28 and Winter Vivern.