Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files
07.10.2025
4967
Zimbra patched a CVE-2025-27915 XSS flaw exploited in attacks targeting Brazil's military via ICS files.
Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files
Zimbra just patched CVE-2025-27915 — a gnarly XSS flaw that got weaponized as a zero-day to hit Brazil's military. Attackers slid in via malicious ICS files, turning email into a backdoor. This ain't just another bug; it's a targeted op with real geopolitical teeth.
The exploit chain is slick: craft an ICS file (you know, those calendar invites), embed malicious scripts, and boom — cross-site scripting lets attackers hijack sessions, swipe credentials, and exfil data. Zimbra's webmail client became the unwitting mule.
Brazil's military orgs got specifically targeted — think strategic comms, deployment schedules, maybe even classified intel. The attackers knew exactly who to hit and how to blend in. This isn't spray-and-pray; it's surgical.
Zimbra dropped the patch, so if you're running their suite, update NOW. CVE-2025-27915 is marked critical — unauthenticated remote code execution via XSS in calendar handling. No creds needed, just a poisoned invite.
- • CVE-2025-27915: XSS vulnerability in Zimbra webmail
- • Exploited via malicious ICS (calendar) files
- • Targeted Brazilian military entities
- • Enables session hijacking and data theft
- • Patched in latest Zimbra release
The takeaway? Email clients are still a prime attack surface. If you're in defense, gov, or any high-value sector, assume your calendar is a threat vector. Patch, monitor, and maybe don't click that 'mandatory training' invite from an unknown sender.
#hack#state-sponsored hacks#cybersecurity#CVE vulnerabilities#zero-day vulnerabilities
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
