Stored Cross-Site Scripting Vulnerability in Zimbra Collaboration Products
CVE-2025-27915
Key Information:
- Vendor
Zimbra
- Vendor
- CVE Published:
- 12 March 2025
Badges
What is CVE-2025-27915?
CVE-2025-27915 refers to a serious stored cross-site scripting (XSS) vulnerability affecting Zimbra Collaboration Products, specifically versions 9.0, 10.0, and 10.1. Zimbra Collaboration is a widely used platform for email and collaboration, designed to facilitate business communications and workflow. This vulnerability arises from inadequate sanitization of HTML content within ICS files, which are often used for calendar entries. When a user opens an email containing a malicious ICS entry, JavaScript embedded in the content can execute through an ontoggle event within a tag. This execution allows attackers to perform unauthorized actions within the context of the user’s session, including modifying email settings to divert messages to an attacker-controlled account or exfiltrating sensitive data. The implications of such actions can be severe for organizations relying on Zimbra for secure communications.
Potential Impact of CVE-2025-27915
-
Unauthorized Access and Account Compromise: Attackers can execute arbitrary JavaScript, allowing them to manipulate victims' email accounts. This might enable them to alter filters, forward emails, or manage sensitive information without consent, drastically compromising account integrity.
-
Data Breach Risks: By exploiting this vulnerability, attackers can potentially gain access to sensitive organizational data. This includes confidential communications and documents, which could lead to significant privacy violations and expose the organization to regulatory fines and reputational damage.
-
Operational Disruption: Organizations could face operational challenges as attacks may target the email systems, disrupting critical communications. Such interruptions can hinder workflow and affect overall productivity, causing financial losses and diminishing trust among clients and partners.
CISA has reported CVE-2025-27915
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-27915 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
News Articles
The Cyber ExpressCVE-2025-27915Zimbra ZCS Flaw CVE-2025-27915 Actively Exploited
CISA alerts on CVE-2025-27915 in Zimbra ZCS Classic Web Client, a zero-day XSS flaw actively exploited to hijack user sessions and steal sensitive data.
Cyber PressCVE-2025-27915CISA Warns of Zimbra Collaboration Suite Zero-Day XSS Exploited in Active Attacks
The flaw allows attackers to hijack user sessions, steal sensitive data, and manipulate email filters without requiring elevated privileges.
CISA adds Zimbra Collaboration Suite bug to known exploited vulnerability catalogue
CVE-2025-27915 was used earlier this year to target the Brazilian military in a data theft attempt.
References
EPSS Score
23% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved