A newly revealed zero-day vulnerability in Zimbra Collaboration Suite (ZCS) has been weaponized using iCalendar (.ICS) files to execute cross-site scripting (XSS) attacks. In campaigns traced back to early 2025, attackers embedded JavaScript into calendar invites to hijack sessions, harvest credentials, and exfiltrate mailbox contents.
Researchers from StrikeReady discovered that some ICS attachments exceeded typical size thresholds and contained embedded JavaScript which Zimbra’s calendar parser failed to sanitize. The targeted versions ZCS 9.0, 10.0, and 10.1 allowed that JavaScript to run within the authenticated user session after a user accepted the calendar item.
Once injected, the malicious script exploited the Zimbra Web Client XSS vector to perform malicious tasks:
-
Create hidden form fields to capture credentials
-
Monitor user actions (mouse/keyboard events) and log out idle users
-
Use the Zimbra SOAP API to query shared folders and emails
-
Forward stolen data to attacker-controlled endpoints, periodically repeating the process
-
Insert mail filters so forwarded email copies reach the attacker’s inbox
According to StrikeReady, these exploit campaigns began in January 2025 weeks before Zimbra released a patch on January 27.
Historical Context & Related Zimbra Risks
While this ICS-based XSS exploit is fresh, Zimbra has faced multiple critical vulnerabilities before:
-
In November 2023, vulnerability CVE-2023-37580 (reflected XSS) was exploited by multiple threat groups.
-
In 2022, CVE-2022-41352 (unpatched RCE via cpio utility in Amavis) was used to backdoor Zimbra instances globally.
-
Zimbra security advisories are catalogued in their official repository.
These precedents show a pattern: attackers shift tactics from file-based vulnerabilities to inventive XSS in ICS now whenever older attack vectors get patched or blocked.
Attack Impact & Risk Profile
This ICS exploit is particularly insidious because it doesn’t require a typical file upload or user download. The victim only needs to accept a calendar event, after which the attacker gains session-level script execution. From there, the adversary can lift credentials, extract mailbox contents, pivot across internal arrays, and maintain persistence via filters.
Targets are likely webmail users in enterprises or governments using Zimbra for email and collaboration. The technique is stealthy, fits into standard calendaring workflows, and evades many traditional email security filters.
Mitigation & Defensive Measures
Defending against this attack requires decisive, layered action rather than isolated fixes. First, install the official Zimbra patch released on January 27, 2025, which secures versions 9.0, 10.0, and 10.1. Updating promptly closes the vulnerable parser and restores proper calendar sanitization.
Next, filter incoming ICS attachments at the email gateway. Instead of allowing them through uninspected, enforce rules that block or scrub calendar files containing <script> or embedded HTML tags. This single change immediately removes most exploit payloads.
At the user layer, disable “auto-accept” and “auto-add” calendar invitations. Requiring manual confirmation stops drive-by exploitation attempts. Furthermore, strengthen the web client by implementing a Content Security Policy (CSP) and enabling browser-level script-blocking extensions to confine any residual XSS activity.
Administrators should actively monitor SOAP API logs for anomalies, such as repeated folder reads or mass message fetches, which often signal ongoing compromise. After patching, rotate authentication tokens and session cookies to invalidate stolen credentials and prevent persistent access.
Altogether, these combined measures from gateway filtering to client hardening form a true defense-in-depth strategy that stops this exploit chain at multiple layers instead of reacting only after compromise.
FAQs
Q: Which Zimbra versions are vulnerable?
A: ZCS 9.0, 10.0, and 10.1 were confirmed vulnerable to this ICS-based XSS exploit.
Q: What type of attack is this?
A: It’s a cross-site scripting (XSS) attack concealed within iCalendar calendar files, executed inside the victim’s session.
Q: Did Zimbra know about it before public disclosure?
A: StrikeReady’s research suggests exploitation began weeks before Zimbra issued their patch on January 27, 2025.
Q: What data is at risk?
A: Credentials, email contents, contacts, folder lists, forwarding rules basically all privileged mailbox access within that session.
Q: Can this threat spread beyond email systems?
A: Yes. Attackers who extract credentials can pivot into internal networks or lateral move depending on environment configuration.
