""When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag," according to a description of the flaw in the NIST National Vulnerability Database (NVD)."
""This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.""
""However, according to a report published by StrikeReady Labs on September 30, 2025, the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy's Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.""
""The ICS file contained a JavaScript code that's designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server ("ffrk[.]net"). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name "Correo" to forward the messages to spam_to_junk@proton.me.""
A stored cross-site scripting vulnerability in Zimbra Classic Web Client (CVE-2025-27915, CVSS 5.4) arises from insufficient sanitization of HTML content in ICS calendar files, enabling arbitrary JavaScript execution. Viewing a malicious ICS entry triggers embedded script via an ontoggle event in a <details> tag, allowing attackers to run JavaScript within victims' sessions and perform unauthorized actions such as adding e-mail filters and exporting data. Zimbra released fixes in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 on January 27, 2025. In observed attacks, threat actors spoofed the Libyan Navy to target the Brazilian military and used ICS-based scripts to exfiltrate credentials and forward mail externally.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]