A zero-day stored cross-site scripting (XSS) vulnerability (CVE-2025-27915, CVSS 5.4) in Zimbra Collaboration’s Classic Web Client was exploited in targeted cyber attacks against the Brazilian military. The flaw, stemming from insufficient HTML sanitization in ICS calendar files, allowed arbitrary JavaScript execution when victims viewed malicious emails. Attackers, posing as the Libyan Navy’s Office of Protocol, deployed a data-stealing script that exfiltrated credentials, emails, contacts, and shared folders to an external server (ffrk[.]net). The script also created hidden Zimbra email filters (named 'Correo') to forward messages to [email protected], evading detection by delaying execution for over three days.The breach enabled unauthorized access to sensitive military communications, risking operational security and intelligence leaks. While the patch was released in January 2025, the exploitation occurred earlier, with StrikeReady Labs confirming in-the-wild activity in September 2025. The attack mirrors tactics used by Russian APT28 and other groups (Winter Vivern, UNC1151), suggesting state-sponsored or advanced persistent threat involvement. The stolen data could compromise national security, diplomatic communications, and personnel safety, though the full extent of the damage remains undisclosed.