CVE-2025-68645
📋 TL;DR
An unauthenticated remote attacker can exploit this Local File Inclusion vulnerability in Zimbra Collaboration's Webmail Classic UI to read arbitrary files from the WebRoot directory. This affects Zimbra Collaboration 10.0 and 10.1 installations with the vulnerable RestFilter servlet exposed. Attackers can access sensitive configuration files, source code, or other web-accessible content.
💻 Affected Systems
- Zimbra Collaboration (ZCS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers read sensitive configuration files containing database credentials, encryption keys, or authentication secrets, leading to full system compromise and data exfiltration.
Likely Case
Attackers access configuration files to gather intelligence for further attacks or read application source code to discover additional vulnerabilities.
If Mitigated
With proper network segmentation and access controls, impact is limited to reading non-sensitive web files without system access.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, indicating active exploitation is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Zimbra Security Center for latest patched versions
Vendor Advisory: https://wiki.zimbra.com/wiki/Security_Center
Restart Required: Yes
Instructions:
1. Check Zimbra Security Center for latest patches. 2. Apply the security patch for your ZCS version. 3. Restart Zimbra services. 4. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
Block /h/rest endpoint
linuxTemporarily block access to the vulnerable RestFilter servlet endpoint
# Add to web server configuration (e.g., Apache/Nginx) to block /h/rest
location /h/rest { deny all; }
Disable Webmail Classic UI
linuxDisable the vulnerable Classic UI if Modern UI suffices
# Modify Zimbra configuration to disable Classic UI
zmprov ms `zmhostname` zimbraFeatureClassicWebClientEnabled FALSE
zmmailboxdctl restart
🧯 If You Can't Patch
- Implement strict network access controls to limit access to Zimbra web interfaces
- Deploy a web application firewall (WAF) with LFI protection rules
🔍 How to Verify
Check if Vulnerable:
Test if /h/rest endpoint responds to crafted LFI requests or check Zimbra versionCheck Version:
zmcontrol -vVerify Fix Applied:
Attempt to exploit the vulnerability after patching; requests should be blocked or return errors📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /h/rest endpoint with file path parameters
- Multiple failed attempts to access restricted files
Network Indicators:
- HTTP requests with crafted parameters targeting /h/rest
- Unusual file read patterns from web server
SIEM Query:
source="zimbra.log" AND uri="/h/rest" AND (param="file" OR param="path")