CISA KEV Adds CVE-2025-27915 Zimbra Classic Web Client XSS Patch Now

CISA has added CVE-2025-27915 — a stored cross-site scripting (XSS) bug in the Classic Web Client of Synacor’s Zimbra Collaboration Suite (ZCS) — to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging immediate remediation by federal agencies and other organizations that operate Zimbra servers or host Zimbra webmail for users.

Background​

Zimbra Collaboration Suite (ZCS) is a widely deployed open-source email and collaboration platform used by service providers, universities, government entities, and enterprises. The vulnerability now tracked as CVE-2025-27915 is a stored Cross-Site Scripting (XSS) flaw that affects the Classic Web Client within ZCS versions 9.0, 10.0, and 10.1. The bug stems from insufficient sanitization of HTML content embedded in iCalendar (.ICS) attachments; when a specially crafted ICS entry is rendered by the Classic client, an attacker-controlled JavaScript payload can execute inside the victim’s browser session.
Federal agencies must treat KEV additions as actionable: the Binding Operational Directive BOD 22-01 established the KEV Catalog as a list of CVEs with evidence of real-world exploitation and requires Federal Civilian Executive Branch (FCEB) agencies to remediate listed items by the KEV due date. Although that mandate applies only to FCEB agencies, the practical security implications apply to any organization running vulnerable Zimbra instances.

---

What the KEV addition actually means​

• Elevation of priority: Inclusion in the KEV Catalog signals that the vulnerability is not purely theoretical — it has credible evidence of exploitation in the wild — and should be elevated to the highest remediation priority for affected organizations.
• BOD 22-01 deadlines apply to FCEB: Federal civilian agencies must adhere to the remediation timeline set in the KEV entry. The directive compels agencies to either apply vendor-supplied mitigations/patches or discontinue use of affected services when mitigations are unavailable.
• Action for all organizations: CISA explicitly recommends that non-federal entities prioritize KEV-listed items as part of vulnerability management best practices; the catalog is a useful, evidence-driven prioritization tool.

---

Technical summary: how CVE-2025-27915 works​

The vulnerability vector​

• The Classic Zimbra Web Client renders HTML derived from fields inside calendar (.ICS) entries when previewing or viewing messages that contain such attachments.
• A stored XSS occurs when malicious HTML/JavaScript is embedded inside the ICS file — specifically inside fields such as the description.
• The exploit leverages the behavior of a <details> element with an ontoggle event handler. By embedding a details tag carrying JavaScript in the ICS description, the script executes when the user interacts with the details control in the preview pane or message body.

Potential attacker capabilities​

• Session-level JavaScript execution: Once the payload runs inside the user’s active webmail session, it can read or modify DOM content, exfiltrate cookies or tokens (subject to HttpOnly protections), and call internal Zimbra APIs available to the authenticated user.
• Mailbox takeover via forwarding/filtering: Attackers can modify mailbox settings or create email filters to forward communications to attacker-controlled addresses, giving sustained access to incoming mail.
• Data exfiltration and reconnaissance: Scripts can read emails, contacts, shared folders, and other account data and send them to external command-and-control endpoints.
• Stealthy persistence: By creating filters that auto-forward messages and by obfuscating UI changes, attackers can maintain long-term access while evading casual detection.

Scope and affected components​

• Affected: Zimbra Collaboration Suite Classic Web Client versions in the 9.0, 10.0, and 10.1 lines prior to the vendor patches.
• Not affected: Modern UI variants or desktop clients that do not use the vulnerable rendering path are generally not impacted — but the Classic Web Client remains widely used and often enabled as default in many deployments.

---

Confirming the facts: vendor and vulnerability records​

• Zimbra issued patched builds that incorporate fixes for the Classic Web Client sanitization logic as part of specific patch releases. Administrators are advised to upgrade to the fixed releases targeted at their ZCS major version.
• The National Vulnerability Database (NVD) and multiple vulnerability repositories list the issue with the same technical description: stored XSS via ICS parsing and execution through a details element ontoggle event.
• Independent security teams have published technical write-ups and incident reports describing exploit mechanics and the real-world attacks that prompted the KEV listing.

(Note: coverage and incident descriptions from third-party researchers should be treated as field reports. Where vendor statements differ or do not mention exploitation, treat attribution and broader campaign claims as researcher-sourced and, unless independently confirmed by the vendor, subject to uncertainty.)

---

What to do right now — an operational checklist​

• Patch or upgrade immediately
• Apply the Zimbra builds and patches that close CVE-2025-27915 for your ZCS version. Vendors released patch-line updates that incorporate the fix; plan maintenance and schedule updates as soon as feasible.
• If patching is delayed, mitigate
• Disable the Classic Web Client or restrict access to the Classic interface until the patch can be installed.
• Use web application firewalls (WAFs) with rules that strip or block suspicious HTML in ICS attachments or block .ics attachments from outside senders where feasible.
• Hunt and respond
• Search mail server logs and mailbox configuration change logs for newly created filters or forwarding rules (check for unexpected new rules named in ways attackers might use).
• Look for suspicious inbound emails containing large or Base64-encoded ICS content, unusual senders spoofing trusted domains, or ICS attachments reaching privileged accounts.
• Rotate exposed credentials and revalidate sessions
• If you suspect compromise, invalidate active sessions and require password resets and multi-factor re-enrollment for affected accounts.
• Monitor network egress and known IOCs
• Monitor outbound connections from mail servers and user endpoints for anomalous traffic to unknown exfiltration domains, and inspect for known malware callback patterns.
• Harden webmail and email gateway policies
• Enforce strict Content Security Policy (CSP) headers where possible, disable inline script execution in webmail front-ends, and implement attachment sanitization at the gateway.
• Communicate to users and stakeholders
• Inform administrators and impacted user groups about the threat and the immediate mitigations being taken; provide guidance about suspicious calendar invites and attachments.

---

Detection and threat-hunting guidance (practical queries)​

• Search for recently created mail forwarding rules and filters across accounts, particularly those forwarding to external addresses or with ambiguous names.
• Scan message stores and archives for .ics files containing <details> tags, ontoggle attributes, or other embedded HTML/JavaScript.
• Check web server logs for webmail preview accesses that correlate with receipt of ICS attachments — anomalies in preview events may indicate malicious activity.
• Monitor egress DNS and HTTP requests for unusual destinations referenced by in-message payloads or command-and-control callbacks.
• Look for delayed task activation: attackers sometimes include timers or delayed triggers that execute days after delivery; hunt for patterns of delayed UI interactions or scheduled hiding of UI elements.

---

Why this XSS is more dangerous than typical “medium” CVSS suggests​

CVSS scores are a useful baseline but can understate operational impact in certain contexts. CVE-2025-27915 is categorized as a medium severity in nominal scoring terms, but the practical risk is magnified by several factors:

• Webmail is a privileged interface. Browser-executed scripts operate with the authenticated user’s privileges inside the mail client; that can expose mail, contacts, tokens, and server-side actions available to the user.
• Automation through filters enables persistence and scale. Creating mail-forwarding rules or filters can capture ongoing sensitive traffic without maintaining active footholds on the server.
• Human interaction is minimal. The attack requires only that a recipient view or expand an element in a message — an action users routinely perform — so the social engineering bar is low.
• Default configurations increase exposure. Many deployments retain the Classic Web Client for compatibility or legacy preferences; operators may be unaware that the Classic UI remains exposed to untrusted content.

For these reasons, organizations should treat this KEV-listed XSS as high-priority operational risk despite its nominal medium CVSS rating.

---

Notable strengths of the response ecosystem — and remaining weaknesses​

Strengths​

• Swift vendor patching: Zimbra integrated the fix into release-line patches, enabling administrators to remediate through standard upgrade paths.
• Public detection and reporting by security teams: Independent researchers and CERTs have documented real-world incidents, providing indicators and practical detection guidance for defenders.
• CISA KEV escalation: CISA’s KEV listing focuses attention and accelerates remediation timelines for federal agencies, with strong downstream benefits for the broader community.

Weaknesses and residual risks​

• Visibility gaps: Many service providers and on-premises admins may not monitor their Zimbra deployments closely enough, keeping vulnerable Classic UIs exposed.
• Delayed disclosure vs. exploitation: Initial vendor advisories sometimes do not disclose exploitation details; public disclosure of exploitation via third-party research can lag the first active attacks, complicating incident response.
• Detection difficulty: The attacker’s ability to create filters and delay execution of payloads increases the chance of long-duration stealthy data exfiltration.
• Supply and configuration diversity: Zimbra is deployed in heterogeneous environments with custom themes, proxies, and integrations — mitigations may require more than a single patch in complex environments.

---

Threat actor and campaign context — what is known and what is not​

Security researchers have reported targeted campaigns that used weaponized ICS files to exploit this XSS against high-value targets. Reports describe social-engineered delivery (spoofed calendar invitations from trusted sources) and post-exploitation actions like data exfiltration and the creation of auto-forward rules. Some researchers identified specific sender IPs and external exfiltration domains used in observed incidents.
Caveats and cautionary notes:

• Attributing a campaign to a specific nation-state or named APT requires care; field reports may name likely targets and techniques but attribution often remains inconclusive without corroborating intelligence.
• Vendor advisories sometimes omit evidence of exploitation at the time of patch release; independent security research can fill that gap, but defenders should treat such reports as part of a broader evidence set rather than definitive proof of large-scale compromise.

---

Longer-term mitigation and architecture recommendations​

• Default to the safer UI: Where possible, disable or deprecate the Classic Web Client and standardize on a modern UI that does not parse ICS content into vulnerable DOM paths.
• Centralize parsing and sanitization: Perform attachment parsing and sanitization at trusted edge services (mail gateway, proxy) rather than in browser-rendered client code.
• Adopt robust CSP and sanitization libraries: Move to templating and sanitization frameworks that are strictly whitelisting-based and tested for all content types, including calendar formats.
• Layered authentication and session controls: Enforce strict session timeouts, token scoping, and device fingerprinting for webmail sessions to reduce the value of a single stolen session cookie.
• Email-gateway attachment policies: Consider blocking or sandboxing ICS files from untrusted senders, or converting ICS content to text-only renderings for preview to eliminate active content vectors.
• Continuous threat hunting: Establish recurring hunts for suspicious filter creations and mailbox configuration changes as part of normal security operations.

---

Practical recovery steps after suspected compromise​

• Invalidate all webmail sessions and force reauthentication across affected accounts.
• Rotate credentials for compromised users and re-enroll multi-factor authentication devices.
• Export and analyze mailbox contents, focusing on newly created filters, sent items, and unusual forwarded messages.
• Conduct network-level forensics for outbound connections to suspected exfiltration endpoints.
• Restore affected accounts from pre-compromise backups where feasible and reconfigure secure settings manually rather than relying solely on automated remediation.

---

Final assessment and risk posture advice​

The addition of CVE-2025-27915 to the CISA KEV Catalog is a clear operational signal: the vulnerability has been observed being exploited in the wild and poses material risk to organizations that use Zimbra’s Classic Web Client. The bug’s mechanics — a stored XSS triggered by ICS content and capable of effectuating mailbox takeover and data exfiltration — make it a potent target for targeted espionage, criminal data theft, and long-duration compromises.
Remediation is straightforward in principle — apply vendor patches or disable the Classic client — but in practice it requires coordinated action across system owners, service providers, and security teams. Prioritize patching, hunt for traces of post-exploitation activity (filters, forwarding rules, unusual egress), and harden webmail interfaces and gateways to prevent active content from reaching users.
Organizations that host or depend on Zimbra should treat this KEV addition as an urgent fix-and-hunt item. The combination of privileged webmail context, low user interaction required, and demonstrated in-the-wild exploitation means that rapid patching and proactive detection will materially reduce the risk of ongoing or future compromise.

---

Appendix: Immediate action checklist (compact)

• Patch Zimbra to the vendor-supplied fixed releases for your branch.
• If immediate patching is impossible, disable the Classic Web Client until patched.
• Hunt for new or modified mail filters and forwarding rules across accounts.
• Inspect incoming .ics attachments for embedded HTML and ontoggle usage.
• Invalidate webmail sessions and rotate credentials for accounts suspected of exposure.
• Deploy gateway-level sanitization and CSP where possible to restrict inline script execution.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA