CVE-2025-67809 – Zimbra Collaboration 10.0 and 10.1 contain hard... (How to Fix)

Q: What is the severity of CVE-2025-67809?

CVE-2025-67809 has a CVSS score of 4.7 (MEDIUM). Zimbra Collaboration 10.0 and 10.1 contain hardcoded Flickr API credentials in the publicly accessible Flickr Zimlet. Attackers can retrieve these credentials and impersonate the legitimate application to trick users into granting access to their Flickr data. Only Zimbra installations with the Flickr Zimlet enabled are affected.

📋 TL;DR

Zimbra Collaboration 10.0 and 10.1 contain hardcoded Flickr API credentials in the publicly accessible Flickr Zimlet. Attackers can retrieve these credentials and impersonate the legitimate application to trick users into granting access to their Flickr data. Only Zimbra installations with the Flickr Zimlet enabled are affected.

💻 Affected Systems

Products:

Zimbra Collaboration Suite

Versions: 10.0 and 10.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the Flickr Zimlet enabled. The Flickr API key has been revoked by Flickr.

📦 What is this software?

Collaboration by Zimbra

View all CVEs affecting Collaboration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to users' Flickr accounts, potentially exposing private photos, metadata, and account information.

🟠

Likely Case

Attackers use stolen credentials for limited Flickr API abuse or reconnaissance, with actual user compromise requiring social engineering.

🟢

If Mitigated

No impact if credentials are revoked and Zimlet is updated or disabled.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires extracting hardcoded credentials from Zimlet files and social engineering users to approve OAuth requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions with credentials removed (check Zimbra security advisories)

Vendor Advisory: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Restart Required: No

Instructions:

1. Update to a patched Zimbra version. 2. Remove or disable the Flickr Zimlet if not needed. 3. Verify credentials are no longer present in Zimlet files.

🔧 Temporary Workarounds

Disable Flickr Zimlet

linux

Remove or disable the Flickr Zimlet to eliminate the exposure.

zimbra@mail:~$ zmzimletctl disable com_zimbra_flickr
zimbra@mail:~$ zmzimletctl delete com_zimbra_flickr

🧯 If You Can't Patch

Disable the Flickr Zimlet immediately.
Block outbound connections to Flickr APIs at network perimeter.

🔍 How to Verify

Check if Vulnerable:

Check if Flickr Zimlet is enabled: zmzimletctl list | grep flickr. Examine Zimlet files for hardcoded API keys.

Check Version:

zimbra@mail:~$ zmcontrol -v

Verify Fix Applied:

Confirm Flickr Zimlet is disabled or removed. Verify no API keys in /opt/zimbra/zimlets-deployed/com_zimbra_flickr.

📡 Detection & Monitoring

Log Indicators:

Unusual Flickr API authentication attempts
Multiple failed OAuth requests from unexpected sources

Network Indicators:

Suspicious outbound connections to Flickr APIs
Unexpected OAuth callback traffic

SIEM Query:

source="zimbra.log" AND "flickr" AND ("oauth" OR "api_key")

📊 Metadata

CVE ID: CVE-2025-67809

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-798

EPSS Score: 0.03% exploit probability (9.2th percentile)

Published: December 15, 2025

Last Updated: December 30, 2025

🔗 References

https://wiki.zimbra.com/wiki/Security_Center Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy Product
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67809, you might also want to check these: