CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS).
This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters.
Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk.
Overview of the Vulnerability
The vulnerability stems from insufficient sanitization of HTML in calendar invitation files (ICS) viewed in the Classic Web Client.
An attacker can craft an ICS entry that embeds JavaScript code inside an event’s ontoggle attribute. When an unsuspecting user opens an email with the malicious ICS attachment, that script runs in the context of the user’s session.
| Product | CVE ID | Vulnerability Description |
| Zimbra Collaboration Suite (ZCS) | CVE-2025-27915 | ZCS Classic Web Client fails to sanitize HTML content in ICS files. Viewing a malicious ICS entry triggers embedded JavaScript via the ontoggle event, allowing arbitrary script execution in the user’s session. |
This gives an attacker the same level of access as the victim. Attackers can then change email filters to forward messages, exfiltrate data, or perform other unauthorized actions on behalf of the user.
CISA has added this flaw to its Known Exploited Vulnerabilities Catalog on October 7, 2025, and set an action deadline of October 28, 2025. The alert urges all ZCS administrators to:
- Review vendor advisories and apply patches or workarounds immediately.
- Follow Cloud Security Technical Reference Architecture guidance under BOD 22-01 for cloud-hosted deployments.
- If no mitigations are available, consider disabling the Classic Web Client or discontinuing use of affected Zimba servers until fixes arrive.
CISA also recommends monitoring logs for suspicious email filter changes or unusual ICS file attachments. Any signs of compromise should be treated as high priority.
This zero-day XSS flaw carries a CVSS score of 7.5 out of 10, marking it as high severity. It affects all supported versions of Zimbra Collaboration Suite that include the Classic Web Client.
Because the flaw requires only that a user view an email, it can be exploited through phishing campaigns or by sending malicious calendar invites to employees.
While it is not yet clear which ransomware groups have adopted this vulnerability, its ease of use and high impact make it a likely candidate for inclusion in targeted email-based campaigns.
Security teams should also consider tightening email attachment policies and adding inspection rules for ICS files.
User awareness programs on the risks of unexpected calendar invites may help reduce the chance of successful attacks.
Timely patching and careful monitoring are critical to stop attackers from leveraging this flaw. All ZCS users are advised to act immediately to protect their email environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
