Zimbra users targeted in zero-day exploit using iCalendar attachments

StrikeReady researchers discovered a zero-day exploit (CVE-2025-27915) in Zimbra Collaboration Suite, allowing attackers to hijack sessions and exfiltrate data via malicious iCalendar (.ICS) files. The exploit, targeting Zimbra Webmail, steals credentials, emails, contacts, and shared folders, using various evasion techniques. The attack, observed targeting Brazil’s military, is attributed to a well-resourced actor, potentially the Belarusian APT group UNC1151.