CVE-2025-25064

CVE-2025-25064 is a SQL injection vulnerability (CWE-89) in the ZimbraSync Service SOAP endpoint of Zimbra Collaboration versions 10.0.x before 10.0.12 and 10.1.x before 10.1.4. The flaw arises from insufficient sanitization of a user-supplied parameter, enabling attackers to inject malicious SQL payloads. Published on 2025-02-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

Authenticated attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating a specific parameter in requests to the SOAP endpoint, they can inject arbitrary SQL queries, allowing retrieval of email metadata and potentially broader database manipulation aligned with the high-impact CVSS metrics.

Zimbra's security advisories and release notes for versions 10.0.12 and 10.1.4 detail fixes for this vulnerability, recommending administrators upgrade affected installations to these patched releases as the primary mitigation. Further details are available in the Zimbra wiki security fixes sections and general security advisories.