External risk intelligence

Zimbra Collaboration: File Inclusion Vulnerability

CVE advisoryKnown Exploit

CVE-2025-68645

A Local File Inclusion vulnerability exists in Zimbra Collaboration's Webmail Classic UI. This allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory. This impacts affected organizations by posing a risk of unauthorized data access and potential service disruption. Attackers can e

5Halo Surface Signal

Synacor Zimbra Collaboration Suite

10.0.0 to before 10.0.1810.1.0 to before 10.1.13

External exposure likelihood

Halo Surface Signal score for CVE-2025-68645

The vulnerability affects the Webmail interface of Zimbra Collaboration, which is a product designed to be public-facing to provide remote email access. As an unauthenticated service reachable via the internet at the /h/rest endpoint, it constitutes a primary entry point for users, fitting the criteria for a service that is public-facing by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within the Webmail Classic UI of Zimbra Collaboration. This flaw allows for the inclusion of arbitrary files from the WebRoot directory. The potential impact includes unauthorized access to sensitive information and disruption of services.

  • Webmail Classic UI
  • Improper handling of user-supplied parameters
  • Unauthorized file access and service disruption

Attack Path

How an attacker could exploit the issue

The Webmail Classic UI in Zimbra Collaboration is susceptible to a Local File Inclusion vulnerability due to improper handling of user-supplied request parameters. This allows an unauthenticated remote attacker to craft specific requests to the `/h/rest` endpoint. By influencing internal request dispatching, the attacker can gain the ability to include arbitrary files from the WebRoot directory. This attack path enables the attacker to potentially execute malicious code or access sensitive information within the affected system.

  • Exposure: Public-facing Webmail interface.
  • Attacker starting point: Remote, unauthenticated.
  • Trigger and result: Craft requests to include arbitrary files.

Live Threat

Current exploitation, exposure, and threat context

A Local File Inclusion vulnerability in Zimbra Collaboration Suite's Webmail Classic UI could allow attackers to access arbitrary files within the WebRoot directory. This could lead to the exposure of sensitive information or further compromise of the system. The vulnerability is exploitable remotely by unauthenticated attackers.

  • Likely attacker skill: Low
  • Required access or conditions: Network access
  • Business risk or urgency: High, treat as urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A vulnerability in Zimbra Collaboration's Webmail Classic UI allows remote attackers to include arbitrary files from the WebRoot directory. This occurs due to improper handling of user-supplied request parameters in the RestFilter servlet, enabling crafted requests to influence internal request dispatching. The potential impact includes unauthorized access to sensitive information and system compromise, posing a significant business risk.

  • Locate all Zimbra Collaboration instances.
  • Restrict access to affected endpoints.
  • Implement vendor updates and verify.
  • Monitor for suspicious activity.

Frequently asked questions

What is Zimbra Collaboration Suite and its affected component?

Zimbra Collaboration Suite (ZCS) is a communication and collaboration platform used for email, calendaring, contacts, and task management, often in business or educational settings. The vulnerability is found in its Webmail Classic User Interface.

What type of vulnerability is CVE-2025-68645?

CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability. This weakness arises from improper handling of user-supplied request parameters, enabling attackers to include unauthorized files from the WebRoot directory.

How can an attacker exploit this vulnerability?

An unauthenticated remote attacker can exploit this by crafting specific requests to the `/h/rest` endpoint. This manipulates internal request dispatching, allowing for the inclusion of arbitrary files from the WebRoot directory.

What is the impact of this vulnerability?

This vulnerability allows for unauthorized access to sensitive information and can lead to disruption of services. It is considered a high-severity issue, with potential for system compromise. The Halo Surface Signal indicates this is a very likely threat due to the public-facing nature of the affected component.

What are the recommended actions to address this issue?

Organizations should identify all Zimbra Collaboration instances, restrict access to the affected endpoints, and apply vendor updates promptly. Continuous monitoring for suspicious activity is also advised to detect and mitigate potential exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified