CVE-2025-27915
Published: 12 March 2025
Summary
CVE-2025-27915 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Obfuscated Files or Information (T1027); ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 mandates filtering of information outputs, directly addressing the insufficient sanitization of HTML content in ICS files when rendered in the Zimbra Classic Web Client to prevent XSS execution.
SI-10 requires validation of information inputs such as ICS files, preventing malicious HTML and JavaScript from being accepted and stored in emails.
SI-2 ensures timely flaw remediation through patching, such as ZCS 9.0 P44, 10.0.13, and 10.1.5 updates that fix the ICS sanitization vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious ICS in email enables JavaScript execution for obfuscated payload delivery through spearphishing attachment, email collection and forwarding rules, data exfiltration over C2, UI hiding, execution delays/guardrails, and user activity checks.
NVD Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an…
more
e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Deeper analysisAI
CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1, specifically in the Classic Web Client. The flaw arises from insufficient sanitization of HTML content within ICS files attached to or embedded in emails. A malicious ICS entry can include JavaScript that executes via an ontoggle event within a <details> tag when the email is viewed. The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
An attacker with low privileges, such as a ZCS user account, can exploit this by sending an email containing the malicious ICS to a target victim. When the victim opens and views the email in the Classic Web Client, the embedded JavaScript executes in the context of the victim's authenticated browser session. This enables arbitrary code execution, allowing the attacker to perform actions like configuring email filters to redirect messages to an attacker-controlled address, leading to unauthorized account actions, email redirection, and potential data exfiltration.
Zimbra advisories document fixes in patches for affected versions: ZCS 10.0.13, 10.1.5, and 9.0.0 Patch 44 (P44). Administrators should apply these updates to mitigate the issue, as detailed in the Zimbra Security Center and release notes.
The vulnerability has seen real-world exploitation as a zero-day ICS attack, as reported in external analysis.
Details
- CWE(s)
- KEV Date Added
- 07 October 2025