Login Sign Up

CVE-2025-27915

5.4 MEDIUM CISA KEV
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in Zimbra Collaboration allows attackers to inject malicious JavaScript via ICS calendar files in emails. When victims view these emails, the JavaScript executes in their session, enabling unauthorized actions like email filter manipulation. Affects Zimbra 9.0, 10.0, and 10.1 users who use the Classic Web Client.

💻 Affected Systems

Products:
  • Zimbra Collaboration Suite
Versions: 9.0, 10.0, 10.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Classic Web Client interface. Modern UI/Zimbra Web Client may not be vulnerable.

📦 What is this software?

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover via email filter redirection, leading to data exfiltration, credential theft, and further lateral movement within the organization.

🟠

Likely Case

Attackers redirect victim emails to external addresses, intercept sensitive communications, and potentially steal session cookies for account access.

🟢

If Mitigated

Limited impact with proper email filtering, user awareness, and network segmentation preventing external communication of stolen data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending malicious email to target. Attack chain is simple once malicious ICS file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.0 P44, 10.0.13, 10.1.5

Vendor Advisory: https://wiki.zimbra.com/wiki/Security_Center

Restart Required: Yes

Instructions:

1. Backup Zimbra installation. 2. Download appropriate patch version from Zimbra website. 3. Stop Zimbra services. 4. Apply patch. 5. Restart Zimbra services. 6. Verify patch installation.

🔧 Temporary Workarounds

Disable ICS file processing

all

Block or sanitize ICS file attachments at email gateway

Configure email security gateway to strip or quarantine ICS attachments

Force Modern UI

linux

Configure Zimbra to use Modern UI/Zimbra Web Client instead of Classic Web Client

zmprov mcf zimbraFeatureModernWebClientEnabled TRUE
zmmailboxdctl restart

🧯 If You Can't Patch

  • Implement strict email filtering to block ICS attachments from untrusted sources
  • Deploy web application firewall with XSS protection rules specifically for Zimbra endpoints

🔍 How to Verify

Check if Vulnerable:

Check Zimbra version against affected versions. Test by creating ICS file with simple JavaScript payload and sending as email attachment.

Check Version:

su - zimbra -c 'zmcontrol -v'

Verify Fix Applied:

After patching, attempt the same ICS XSS test - JavaScript should not execute. Check version matches patched releases.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ICS file attachments in email logs
  • Multiple filter creation/modification events from single user session
  • JavaScript execution errors in web server logs

Network Indicators:

  • Outbound connections to suspicious domains following ICS file views
  • Unusual SMTP traffic patterns indicating email forwarding

SIEM Query:

source="zimbra.log" AND ("ICS" OR "calendar" OR "ontoggle") AND ("script" OR "javascript" OR "<details>")

📊 Metadata

CVE ID: CVE-2025-27915
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 26.52% exploit probability (96.2th percentile)
CISA KEV: Actively Exploited added Oct 7, 2025
Published: March 12, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27915, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)