Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files

The Hacker News by The Hacker News
October 6, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day

A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.

Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files, resulting in arbitrary code execution.

“When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

DFIR Retainer Services

“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including e-mail redirection and data exfiltration.”

The vulnerability was addressed by Zimbra as part of versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. The advisory, however, makes no mention of it having been exploited in real-world attacks.

However, according to a report published by StrikeReady Labs on September 30, 2025, the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy’s Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.

The ICS file contained a JavaScript code that’s designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server (“ffrk[.]net”). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name “Correo” to forward the messages to spam_to_junk@proton.me.

CIS Build Kits

As a way to avoid detection, the script is fashioned such that it hides certain user interface elements and detonates only if more than three days have passed since the last time it was executed.

It’s currently not clear who is behind the attack, but earlier this year, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions from Roundcube, Horde, MDaemon, and Zimbra to obtain unauthorized access.

A similar modus operandi has also been adopted by other hacking groups like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Opensignal launches suite of broadband capabilities to help ISPs optimize customer experience and gain competitive advantage

Opensignal launches suite of broadband capabilities to help ISPs optimize customer experience and gain competitive advantage

Recommended.

AMD Takes On Intel, Apple And Nvidia With Ryzen AI Max Chips

AMD Takes On Intel, Apple And Nvidia With Ryzen AI Max Chips

January 6, 2025
Salesforce unveils its Agentforce 360 platform to build, deploy AI agents

Salesforce unveils its Agentforce 360 platform to build, deploy AI agents

October 13, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio