CVE-2025-8264
📋 TL;DR
This SQL injection vulnerability in Z-Push allows attackers to execute arbitrary SQL commands by manipulating the username field during basic authentication. It affects Z-Push installations using the IMAP backend with IMAP_FROM_SQL_QUERY configured, potentially enabling unauthorized database access and manipulation.
💻 Affected Systems
- Z-Push
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the linked third-party database, allowing data theft, modification, or deletion, and potential lateral movement to other systems.
Likely Case
Unauthorized access to sensitive email data, user credentials, and potential privilege escalation within the Z-Push system.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploitation requires basic authentication but SQL injection via username field is straightforward. Public references demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.6
Vendor Advisory: https://github.com/Z-Hub/Z-Push/pull/161
Restart Required: Yes
Instructions:
1. Update Z-Push to version 2.7.6 or later. 2. Restart the Z-Push service. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable IMAP_FROM_SQL_QUERY
allChange configuration to use default or LDAP backend instead of SQL queries for IMAP authentication
Edit backend/imap/config.php and set: define('IMAP_DEFAULTFROM', ''); or define('IMAP_DEFAULTFROM', 'ldap');
🧯 If You Can't Patch
- Implement strict input validation and sanitization for username field
- Deploy a WAF with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Z-Push version is below 2.7.6 and IMAP_FROM_SQL_QUERY is configured in backend/imap/config.phpCheck Version:
Check Z-Push version in admin interface or configuration filesVerify Fix Applied:
Confirm Z-Push version is 2.7.6 or higher and review the patched code in user_identity.php📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Failed authentication attempts with SQL-like patterns in username field
- Unexpected database access from Z-Push service account
Network Indicators:
- SQL injection payloads in authentication requests
- Unusual database connections from Z-Push server
SIEM Query:
search 'username' AND ('UNION' OR 'SELECT' OR 'INSERT' OR 'DELETE' OR 'UPDATE' OR '--' OR ';' OR '/*') in authentication logs🔗 References
- https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98/src/backend/imap/user_identity.php%23L211C9-L214C25
- https://github.com/Z-Hub/Z-Push/pull/161
- https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515a35ac4c303959af21dce880a5db02786
- https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180
- https://xbow.com/blog/xbow-zpush-sqli/
