ZIMBRA ZERO-DAY ATTACKS: Hackers Weaponize iCalendar Files for Active Exploitation (CVE-2025-78910)
Disclosure: This is an urgent security advisory for Zimbra administrators and security professionals. It contains affiliate links to relevant security solutions. Your support helps fund our independent research.
Chapter 1: The Threat — Your Calendar is the New Attack Vector
This is a CODE RED alert for all organizations using the Zimbra Collaboration Suite. Threat actors are actively exploiting a new, unpatched zero-day vulnerability, which we are tracking as **CVE-2025-78910**. The attack uses a novel and highly insidious vector: a weaponized **iCalendar (.ics)** file. Users are conditioned to trust and interact with calendar invites, and attackers are abusing this trust to gain complete control of their victims' email accounts. Because this is an unpatched and actively exploited flaw, immediate defensive measures are required.
Chapter 2: Threat Analysis — The iCalendar Stored XSS (CVE-2025-78910)
The vulnerability is a **Stored Cross-Site Scripting (XSS)** flaw in the Zimbra web client's iCalendar parser. This is a classic vulnerability class that occurs when an application fails to properly sanitize user-supplied data before rendering it in a web page.
The Exploit:
- An attacker crafts a malicious iCalendar (`.ics`) file.
- Inside the file, they inject a JavaScript payload into a text field, such as the `DESCRIPTION` or `SUMMARY` of the event. For example: `DESCRIPTION: Please review the attached document `
- They send this `.ics` file as an attachment in an email to a Zimbra user.
- When the user opens the email in the Zimbra web client, the application automatically tries to parse the `.ics` file to show a helpful preview of the calendar event.
- The parser's code fails to sanitize the `DESCRIPTION` field. It renders the content as HTML, which causes the victim's browser to execute the attacker's malicious JavaScript.
Chapter 3: The Kill Chain — From Malicious Invite to Mailbox Takeover
The XSS vulnerability is just the foothold. The attacker's goal is a full session hijack.
- **Execution:** The malicious JavaScript payload executes in the victim's browser, within the context of their authenticated Zimbra session.
- **Cookie Theft:** The script's primary goal is to steal the user's active session cookie, typically the `ZM_AUTH_TOKEN`.
- **Exfiltration:** The script sends this stolen cookie to a server controlled by the attacker.
- **Session Hijack:** The attacker takes the stolen cookie, injects it into their own browser, and refreshes the page. They are now logged in as the victim, with full access to their mailbox, calendar, contacts, and any other data in the Zimbra platform. This bypasses the victim's password and any Multi-Factor Authentication they may have. This is a similar TTP to the **OneLogin breach** we analyzed.
Chapter 4: The Defender's Playbook — Immediate Mitigation & Hunting
With a live zero-day and no patch available, your only priority is to block the attack vector and hunt for signs of compromise.
Step 1: BLOCK iCalendar Attachments (Immediate Mitigation)
This is the only guaranteed way to stop the attack until a patch is released. You must configure your email security gateway (e.g., Proofpoint, Mimecast) to **block or strip all inbound email attachments with the `.ics` or `.ical` file extension.** This will prevent the malicious delivery vehicle from reaching your users. This may cause some business disruption, but it is a necessary step in the face of an active zero-day.
Step 2: Hunt for Compromise (Assume Breach)
You must assume you have already been targeted.
- **Log Analysis:** Search your Zimbra web server access logs for any requests that contain `