The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about a zero-day cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS), identified as CVE-2025-27915. This vulnerability, actively exploited in recent attacks, presents significant risks to organizations using this widely adopted email and collaboration platform. The flaw is found in the Classic Web Client component of ZCS due to inadequate sanitization of HTML content in Internet Calendar System (ICS) files. Classified under CWE-79, this vulnerability allows embedded JavaScript to execute automatically when users view malicious ICS entries, exploiting the ontoggle event handler within a
tag. This method enables attackers to run arbitrary JavaScript code within the victim’s authenticated session, bypassing standard security controls by using legitimate calendar functionality to deliver harmful payloads. The minimal user interaction required—merely viewing a crafted email—makes this vulnerability particularly dangerous for widespread attacks. Affected versions include ZCS 10.1.9, 10.0.15, and 9.0.0 Patch 46. The vulnerability’s exploitation can lead to unauthorized actions within compromised accounts, such as creating malicious email filters to redirect messages, facilitating data exfiltration, and ongoing surveillance. CISA has set October 28, 2025, as the remediation deadline for federal agencies, urging immediate action from Zimbra administrators. Organizations are advised to apply vendor mitigations, follow cloud service guidance, or discontinue use if no effective solutions are available. Enhanced email security measures and user training on suspicious calendar invitations and ICS attachments are also recommended.
