Zimbra Zero-Day Exploited Targeting Brazilian Military via Malicious ICS Files
The Brazilian military was recently targeted in a sophisticated campaign leveraging a zero-day vulnerability in the Zimbra email platform. Attackers delivered malicious ICS (iCalendar) files to compromise systems, marking a notable escalation in phishing techniques aimed at military communications.
Details of the Attack Campaign
In late September 2025, threat actors began exploiting an unpatched flaw in Zimbra Collaboration Suite, sending well-crafted phishing emails with attached ICS files. Once opened, these files triggered the execution of malicious code, enabling initial access to military email accounts and systems.
Technical Analysis of the Zero-Day Exploit
The exploited vulnerability allows remote code execution within vulnerable Zimbra instances, bypassing standard authentication and sandboxing controls through malformed ICS calendar attachments. The payload employs obfuscated scripting to evade detection, blending with legitimate calendar events commonly exchanged in military correspondence.
Observed Impact and Tactical Objectives
Investigators report that adversaries utilized advanced persistence and lateral movement techniques, targeting military leadership and logistics personnel. The campaign’s intent focused on gathering sensitive operational data and disrupting secure military communication workflows. The operation’s use of ICS files highlights a trend in blending functional business formats with offensive cyber activity.
Recommended Mitigations and Response
Zimbra administrators are advised to review active email filtering and patch management procedures. Technical mitigations include disabling ICS file processing, enhancing anomaly detection for calendar attachments, and monitoring for unusual script execution within collaboration suite logs. Collaboration with national security agencies is encouraged to assess further compromise and prevent data leakage.
Urgent Advisory: Critical Oracle E-Business Suite Vulnerability Risks Enterprise Data
Security researchers and federal advisories have sounded alarms over a critical vulnerability affecting Oracle E-Business Suite, recommending immediate remediation in light of active exploitation reports. The flaw, if unaddressed, enables remote access and manipulation of business-critical data and applications.
Vulnerability Breakdown
The vulnerability, tracked as a zero-day by multiple advisories, affects core modules of Oracle E-Business Suite. Attackers are able to abuse weak authentication mechanisms and unsafe deserialization routines, enabling them to escalate privileges and execute arbitrary commands on affected servers.
Exposure and Attack Scenarios
Enterprises running unpatched Oracle business applications face substantial risk as attackers scan for and exploit susceptible deployments. Exploitation may result in unauthorized financial transactions, exposure of customer data, and manipulation of enterprise resource planning (ERP) workflows.
Recommended Actions
Organizations are urged to immediately apply Oracle’s latest advisory patches and perform security reviews on middleware components. Implementation of network segmentation, robust access controls, and continuous application monitoring is advised. Security teams should proactively search logs for exploitation attempts and anomalous activities associated with deserialization.
Hackers Exploit Milesight Routers to Deliver Phishing SMS to European Users
A recent cyberattack campaign leveraging vulnerabilities in Milesight routers has resulted in large-scale phishing SMS attacks targeting European mobile users. Adversaries hijacked routers to automate sending malicious messages, creating significant risks for personal and enterprise data security.
Attack Mechanism and Technical Details
Cybercriminals exploited weak default credentials and outdated firmware in Milesight routers exposed to the Internet. Using remote access techniques, attackers reconfigured SMS gateway features to blast phishing messages purporting to be from reputable banks and online platforms.
Scale and Impact of the Incident
Reports indicate hundreds of thousands of recipients across multiple European countries received fraudulent texts containing links to credential-stealing websites. The campaign coincides with rising abuses of networking hardware vulnerabilities to facilitate widespread social engineering.
Security Response and Prevention Strategies
Network administrators are recommended to immediately update router firmware, disable unnecessary remote management features, and enforce complex password policies. Telecom providers are collaborating with law enforcement to trace and block malicious SMS routes and warn affected customers.