CVE-2025-68645
published 2025-12-22CVE-2025-68645: A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of…
PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
31.77%
98.1th percentile
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | >= 10.0.0 < 10.0.18 | 10.0.18 |
| synacor | zimbra_collaboration_suite | >= 10.1.0 < 10.1.13 | 10.1.13 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
id: CVE-2025-68645
info:
name: Zimbra Collaboration - Local File Inclusion
author: DhiyaneshDk,sirifu4k1
severity: high
tags: cve,cve2025,zimbra,zcs,lfi,vkev,kev
http:
- method: GET
path:
- "{{BaseURL}}/{{path}}?javax.servlet.include.servlet_path=/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<web-app"
- "Zimbra"
condition: and
- type: status
status:
- 200- →The exploit uses the `javax.servlet.include.servlet_path` request parameter to trigger LFI via the RestFilter servlet. Monitor HTTP GET requests to any `/h/*` endpoint containing this parameter name. ↗
- →Requests targeting `/WEB-INF/web.xml` via the `javax.servlet.include.servlet_path` parameter are a strong indicator of active exploitation; the Nuclei template confirms a 200 response with `<web-app` and `Zimbra` in the body as a positive match. ↗
- →Shodan fingerprint for exposed Zimbra instances targeted by this CVE is `http.title:"Zimbra Collaboration Suite"`. Use this to identify internet-exposed assets. ↗
- →The vulnerability is unauthenticated and exploitable via HTTP GET with no session required. Web server access logs should be reviewed for any unauthenticated requests to `/h/rest` or other `/h/*` endpoints containing `javax.servlet.include.servlet_path` in the query string. ↗
- →CISA KEV confirms active in-the-wild exploitation. The vulnerability is classified as PHP Remote File Inclusion by CISA, with a remediation due date of 2026-02-12 for federal agencies. ↗
- ·The LFI vulnerability only affects Zimbra Collaboration (ZCS) versions 10.0 and 10.1 running the Webmail Classic UI with the RestFilter servlet exposed. Fixes were added on January 3–4, 2026. ↗
- ·The Nuclei template uses `stop-at-first-match: true` across 13 `/h/*` paths, meaning only the first matching endpoint is confirmed per scan run; all listed paths should be independently monitored in production log analysis. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
cisa·2026-01-22·CVSS 8.8
CVE-2025-68645 [HIGH] CWE-98 Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-68645
Remediation Due Date: 2026-02-12
GHSA
GHSA-xc78-3c4g-m5g9: A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10
ghsa_unreviewed·2025-12-22
CVE-2025-68645 [HIGH] CWE-98 GHSA-xc78-3c4g-m5g9: A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-68645 [HIGH] CWE-98 Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-01-14&host_type=src&vulnerability=cve-2025-68645; https://dashboard.shadowserver.org/statist
No detection rules found.
Nuclei
Zimbra Collaboration - Local File Inclusion
nuclei·CVSS 8.8
CVE-2025-68645 [HIGH] Zimbra Collaboration - Local File Inclusion
Zimbra Collaboration - Local File Inclusion
Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint.
Template:
id: CVE-2025-68645
info:
name: Zimbra Collaboration - Local File Inclusion
author: DhiyaneshDk,sirifu4k1
severity: high
description: |
Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint.
impact: |
Unauthenticated rem
Bleepingcomputer
CISA confirms active exploitation of four enterprise software bugs
blogs_bleepingcomputer·2026-01-23·CVSS 5.3
[MEDIUM] CISA confirms active exploitation of four enterprise software bugs
## CISA confirms active exploitation of four enterprise software bugs
## Bill Toulas
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125 , a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.
The issue affects only exposed dev instances and has bee
Wiz
CVE-2025-67809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67809 [MEDIUM] CVE-2025-67809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67809 :
Zimbra Collaboration Server vulnerability analysis and mitigation
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
Source : NVD
## 4.7
Wiz
CVE-2025-68645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68645 [MEDIUM] CVE-2025-68645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68645 :
Zimbra Collaboration Server vulnerability analysis and mitigation
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Source : NVD
## 8.8
Score
Published December 22, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
Zimbra Collaboration Server
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 97.7
Exploitation Probabil
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Wiz
CVE-2025-66376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-66376 [MEDIUM] CVE-2025-66376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66376 :
Zimbra Collaboration Server vulnerability analysis and mitigation
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Source : NVD
## 6.1
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
Zimbra Collaboration Server
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 93
Exploitation Probability (EPSS) 10
Affected packages and libraries
cpe:2.3:a:zimbra:collaboration
Sources
NVD
Linux Severity MEDIUM Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
2025-12-22
Published
2026-01-22
Added to CISA KEV
Exploited in the wild